oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[OSSA 2013-022] Swift Denial of Service using superfluous object tombstones (CVE-2013-4155)

From: Thierry Carrez <thierry () openstack org>
Date: Wed, 07 Aug 2013 17:48:28 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-022
CVE: CVE-2013-4155
Date: August 7, 2013
Title: Swift Denial of Service using superfluous object tombstones
Reporter: Peter Portante (Red Hat)
Products: Swift
Affects: All versions

Description:
Peter Portante from Red Hat reported a vulnerability in Swift. By
issuing requests with an old X-Timestamp value, an authenticated
attacker can fill an object server with superfluous object tombstones,
which may significantly slow down subsequent requests to that object
server, facilitating a Denial of Service attack against Swift clusters.

Havana (development branch) fix:
https://review.openstack.org/40643

Grizzly fix:
https://review.openstack.org/40645

Folsom fix:
https://review.openstack.org/40646

Note:
The havana fix will be included in the upcoming Swift 1.9.1 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155
https://bugs.launchpad.net/swift/+bug/1196932

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSAmxMAAoJEFB6+JAlsQQjHnAP/3Q1paJhRVmqLqMgH/+1aey+
5tzafCJP/YwRdjRi3l27MgIVoKk9sqVr3jxpaSDVFZ2iKD3wqcb28cYa8tqRGLsV
gkb0nCePG/HQjcfE58Up+1otH/vMqoZTjLzQfUWPAWZASCm6vFSIcepdyi4WMIiM
Rfv1E+Mjf9esNBT7fHgfNW4wrJbut+j4pU9sqzZS13KE2pbdKi8URsF1Pt77QXz5
PtgfvGiIlkwQQ18Y0VMyGj50uWF36J3YXt1k6L4qa9SXd+HAx5yRq+QPdPPHgUrv
S3WDi+lAlhZa47K7fDUzR9Ytr25JSa1L48cJp2e8Lw5RNSGjZd9UJp5ZGvlK0ZFl
fb3gktBu+4KzJ6jiCV7kQXSxTVMcICjFF35v0Y6pLCmTOeYtcri1VoT9CV0mdo+f
85BxCcykaE1EQbPW+OpO5S6LoGpb0WBCYvcqrQr05I7Y0qIdUz4WucsheWDx2kSm
o6ZaZedc1k397WLZt2WTaqQFgoFh2fN9gp+syseFItCi+zlQOyMkCCm3ORvnmGuE
7fR0998XTRzzW1b8Z9a8QWWyXVmHqZ7oqu4yRsGxbyZG+4ckX+XsRwqf/C3DJNdw
fZTXbvnEgxnO18Cq5ki4EbJrk70vW45TtJ7kSWGbwSEcZ/Ju4A1fncK4ESd/cMf7
2hcM7moWaAcdUSCEII7O
=AwQ5
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: