OpenStack Keystone HTTP Request Processing Denial of Service

by Carol~ Moderator - 2/11/13 10:04 AM

In Reply to: VULNERABILITIES / FIXES - February 11. 2013 by Carol~ Moderator

OpenStack Keystone HTTP Request Processing Denial of Service Vulnerability

Release Date : 2013-02-11

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Workaround

Software: OpenStack Keystone 2012.x

Description:
A vulnerability has been reported in OpenStack Keystone, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when processing HTTP requests and can be exploited to exhaust available memory via e.g. sending an overly long "tenant_name" within HTTP requests.

The vulnerability is reported in version Folsom (2012.2.1). Other versions may also be affected.

Solution:
Fixed in the source code repository.

Provided and/or discovered by:
Dan Prince, Red Hat.

Original Advisory:
https://bugs.launchpad.net/keystone/+bug/1099025
https://bugzilla.redhat.com/show_bug.cgi?id=909012

http://secunia.com/advisories/52139/