oss-sec mailing list archives
[OSSA 2013-022] Swift Denial of Service using superfluous object tombstones (CVE-2013-4155)
From: Thierry Carrez <thierry () openstack org>
Date: Wed, 07 Aug 2013 17:48:28 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-022 CVE: CVE-2013-4155 Date: August 7, 2013 Title: Swift Denial of Service using superfluous object tombstones Reporter: Peter Portante (Red Hat) Products: Swift Affects: All versions Description: Peter Portante from Red Hat reported a vulnerability in Swift. By issuing requests with an old X-Timestamp value, an authenticated attacker can fill an object server with superfluous object tombstones, which may significantly slow down subsequent requests to that object server, facilitating a Denial of Service attack against Swift clusters. Havana (development branch) fix: https://review.openstack.org/40643 Grizzly fix: https://review.openstack.org/40645 Folsom fix: https://review.openstack.org/40646 Note: The havana fix will be included in the upcoming Swift 1.9.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155 https://bugs.launchpad.net/swift/+bug/1196932 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJSAmxMAAoJEFB6+JAlsQQjHnAP/3Q1paJhRVmqLqMgH/+1aey+ 5tzafCJP/YwRdjRi3l27MgIVoKk9sqVr3jxpaSDVFZ2iKD3wqcb28cYa8tqRGLsV gkb0nCePG/HQjcfE58Up+1otH/vMqoZTjLzQfUWPAWZASCm6vFSIcepdyi4WMIiM Rfv1E+Mjf9esNBT7fHgfNW4wrJbut+j4pU9sqzZS13KE2pbdKi8URsF1Pt77QXz5 PtgfvGiIlkwQQ18Y0VMyGj50uWF36J3YXt1k6L4qa9SXd+HAx5yRq+QPdPPHgUrv S3WDi+lAlhZa47K7fDUzR9Ytr25JSa1L48cJp2e8Lw5RNSGjZd9UJp5ZGvlK0ZFl fb3gktBu+4KzJ6jiCV7kQXSxTVMcICjFF35v0Y6pLCmTOeYtcri1VoT9CV0mdo+f 85BxCcykaE1EQbPW+OpO5S6LoGpb0WBCYvcqrQr05I7Y0qIdUz4WucsheWDx2kSm o6ZaZedc1k397WLZt2WTaqQFgoFh2fN9gp+syseFItCi+zlQOyMkCCm3ORvnmGuE 7fR0998XTRzzW1b8Z9a8QWWyXVmHqZ7oqu4yRsGxbyZG+4ckX+XsRwqf/C3DJNdw fZTXbvnEgxnO18Cq5ki4EbJrk70vW45TtJ7kSWGbwSEcZ/Ju4A1fncK4ESd/cMf7 2hcM7moWaAcdUSCEII7O =AwQ5 -----END PGP SIGNATURE-----
Current thread:
- [OSSA 2013-022] Swift Denial of Service using superfluous object tombstones (CVE-2013-4155) Thierry Carrez (Aug 07)