oss-sec mailing list archives
Re: CVE request for vulnerability in OpenStack Keystone
From: cve-assign () mitre org
Date: Thu, 10 Apr 2014 14:06:49 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://launchpad.net/bugs/1300274 Keystone DoS through V3 API authentication chaining a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected. Sanitizes authentication methods received in requests. When a user authenticates against Identity V3 API, he can specify multiple authentication methods. This patch removes duplicates, which could have been used to achieve DoS attacks. the difference that I see between many authentication requests versus one request with many authentication methods, is that in the first case an operator may limit the rate at which requests are processed, but it's more difficult to protect Keystone against few requests triggering many authentication trials.
Use CVE-2014-2828. For reference: this was apparently disputed internally by the vendor before a conclusion was reached that this is a vulnerability in the context of the vendor's security policy. Obviously an attacker who sends more authentication requests generates more system load. Apparently the decision is that it was a mistake for auth/controllers.py, when handling one request, to process superfluous data that had no real purpose other than increasing resource consumption. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTRt1TAAoJEKllVAevmvms3aEIAL3ri80WKGeYIT+99PIHROOw GbBvXRIsLL5xLwTIgCdUe6ozNR4z9WOSVSMLIPT4rHZEaXEqe7jV9yqAeVW5c7IX RQ6YFtTC/wGPxMHjoQyjx1TQp1Ymubcie1golNJC6rSAFnEM211HM8VEQxh/NiCe FH0vfawOxioFIp0KxiTTKHNUbY39AI+6ENylEQwfOzfjEP7Vvbp+k8MrwctIZxEB x5aJH/5kENJQSd5JzQbIzA4qt6THTEg8SiXTRJTd5RdHyKh/oBelZhkuf/Q16ERe /CwfUpwKB1Z0rKN+tefdBu0fW/Rr428MJ7dIONskJhdPQNHJyvCsLt411l66Nf0= =Ck8/ -----END PGP SIGNATURE-----
Current thread:
- CVE request for vulnerability in OpenStack Keystone Tristan Cacqueray (Apr 09)
- Re: CVE request for vulnerability in OpenStack Keystone cve-assign (Apr 10)