[OSSA 2013-022] Swift Denial of Service using superfluous object tombstones (CVE-2013-4155)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2013-022 CVE: CVE-2013-4155 Date: August 7, 2013 Title: Swift Denial of Service using superfluous object tombstones Reporter: Peter Portante (Red Hat) Products: Swift Affects: All versions
Description: Peter Portante from Red Hat reported a vulnerability in Swift. By issuing requests with an old X-Timestamp value, an authenticated attacker can fill an object server with superfluous object tombstones, which may significantly slow down subsequent requests to that object server, facilitating a Denial of Service attack against Swift clusters.
Havana (development branch) fix: https://review.openstack.org/40643
Grizzly fix: https://review.openstack.org/40645
Folsom fix: https://review.openstack.org/40646
Note: The havana fix will be included in the upcoming Swift 1.9.1 release.
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155 https://bugs.launchpad.net/swift/+bug/1196932
Regards,
- -- Thierry Carrez OpenStack Vulnerability Management Team
participants (1)
-
Thierry Carrez