[Openstack-security] [Bug 1300274] Re: V3 Authentication Chaining - uniqueness of auth method names
OpenStack Infra
1300274 at bugs.launchpad.net
Wed Apr 2 16:31:00 UTC 2014
Reviewed: https://review.openstack.org/84425
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c
Submitter: Jenkins
Branch: master
commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c
Author: Florent Flament <florent.flament-ext at cloudwatt.com>
Date: Tue Apr 1 12:48:22 2014 +0000
Sanitizes authentication methods received in requests.
When a user authenticates against Identity V3 API, he can specify
multiple authentication methods. This patch removes duplicates, which
could have been used to achieve DoS attacks.
Change-Id: Iec9a1875a4ff6e2fac0fb2c3db6f3ce34a5dfd1d
Closes-Bug: 1300274
** Changed in: keystone
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1300274
Title:
V3 Authentication Chaining - uniqueness of auth method names
Status in OpenStack Identity (Keystone):
Fix Committed
Status in OpenStack Security Advisories:
Incomplete
Bug description:
In V3.0 API, we can chain authentication methods. An attacker can
place the same authentication method multiple times in the methods
filed. This will result in the same authentication method checking
over and over (for loop in code). Using this, an attacker can achieve
some sorts of Denial of Service. The methods field is not properly
sanitized.
{
"auth":{
"identity":{
"methods":[
"password",
"password",
"password",
"password",
"password"
],
"password":{
"user":{
"domain":{
"id":"default"
},
"name":"demo",
"password":"stack"
}
}
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions
More information about the Openstack-security
mailing list