[Openstack-security] [Bug 1300274] Re: V3 Authentication Chaining - uniqueness of auth method names

OpenStack Infra 1300274 at bugs.launchpad.net
Wed Apr 9 13:13:16 UTC 2014 

Reviewed:  https://review.openstack.org/86024
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
Submitter: Jenkins
Branch:    stable/havana

commit e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
Author: Florent Flament <florent.flament-ext at cloudwatt.com>
Date:   Tue Apr 1 12:48:22 2014 +0000

    Sanitizes authentication methods received in requests.
    
    When a user authenticates against Identity V3 API, he can specify
    multiple authentication methods. This patch removes duplicates, which
    could have been used to achieve DoS attacks.
    
    Closes-Bug: 1300274
    (cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
    Cherry-pick from https://review.openstack.org/#/c/84425/
    
    Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab


** Changed in: keystone/havana
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1300274

Title:
  V3 Authentication Chaining - uniqueness of auth method names

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  Fix Committed
Status in OpenStack Security Advisories:
  Triaged

Bug description:
  In V3.0 API,  we can chain authentication methods. An attacker can
  place the same authentication method multiple times in the methods
  filed. This will result in the same authentication method checking
  over and over (for loop in code).  Using this, an attacker can achieve
  some sorts of Denial of Service.   The methods field is not properly
  sanitized.

  {
     "auth":{
        "identity":{
           "methods":[
              "password",
              "password",
               "password",
               "password",
               "password" 
           ],
          "password":{
              "user":{
                 "domain":{
                    "id":"default"
                 },
                 "name":"demo",
                 "password":"stack"
              }
           }
        }
     }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions

More information about the Openstack-security mailing list