Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 456134 (CVE-2013-0270)

Summary: <sys-auth/keystone-2012.2.3: Large HTTP request DoS (CVE-2013-0270)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=909012
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-02-08 10:16:08 UTC 
From $URL :

Dan Prince (dprince@redhat.com) reports:

When long tenant_name is sent few times when requesting token, responsiveness 
of service decreases until finally it requests ends with MemoryError.

keystoneclient.exceptions.AuthorizationFailure: Authorization Failed: Unable 
to communicate with identity service: Traceback ... MemoryError
Includes whole traceback.

Memory on keystone host is used up keystone-all process.
Also during processing of the request CPU utilization raises for a long time 
(when and after the first MemoryError state was reached) - like for more than 
10 seconds keystone-all can take whole cpu.


Version-Release number of selected component (if applicable):
Name        : openstack-keystone
Arch        : noarch
Version     : 2012.2.1
Release     : 3.el6ost


How reproducible:
Use something similiar to following python example few times (5 times with 
"len(tenant) == 195000000" for keystone host inside VM with 4GB of RAM)

Actual results:
For first few tries service correctly responds with:
(HTTP 400): Authorization Failed: Request attribute tenantName must be less 
than or equal to 64. The server could not comply with the request because the 
attribute size is invalid (too large). The client is assumed to be in error.

Later with:
(HTTP 500): Authorization Failed: Unable to communicate with identity service: 
Traceback (most recent call last):
  ... whole backtrace here
MemoryError

Most memory of keystone host is used by keystone-all process.


Expected results:
The first 400 error mentioning that attribute is too big for all request (not 
only first few). And not such a big impact on memory of host.


Additional info:
Similiar to bug #906178 and so also to related upstream bug 
https://bugs.launchpad.net/keystone/+bug/1098307 where they mentioned 
preparation of general check/defense for too big requests.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-08 12:29:01 UTC 
note to self, make sure this patch made it into 2012.2.3
https://github.com/openstack/keystone/commit/7691276b869a86c2b75631d5bede9f61e030d9d8
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-08 15:34:25 UTC 
It didn't make it into 2012.2.3, I took the patch and it applies to 2012.2.3.  Also, I checked 9999 and it's there (as it should be). Also, also, removed 2012.2 as it was hit by the CVE.

tldr, should be fixed in tree
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-24 16:04:02 UTC 
Thanks, Matthew!

Closing noglsa for ~arch only issue.