Bugzilla – Bug 873127
VUL-0: CVE-2014-2828: openstack-keystone: denial of service via V3 API authentication chaining
Last modified: 2014-08-19 08:14:30 UTC
Via rh#1086211 and oss-security: Title: Keystone DoS through V3 API authentication chaining Reporter: Abu Shohel Ahmed (Ericsson) Products: Keystone Versions: from 2013.1 to 2013.2.3 Description: Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected. CVE-2014-2828 was assigned to this issue. References: https://launchpad.net/bugs/1300274 http://seclists.org/oss-sec/2014/q2/65 https://review.openstack.org/#/c/86024/ https://git.openstack.org/cgit/openstack/keystone/commit/?id=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e https://bugzilla.redhat.com/show_bug.cgi?id=1086211
bugbot adjusting priority
The SWAMPID for this issue is 57051. This issue was rated as moderate. Please submit fixed packages until 2014-04-30. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3-PRODUCTS: openstack-keystone
Fix is included in the Devel:Cloud:3 openstack-keystone package and submitted to SUSE:SLE-11-SP3:Update:Products:Test:Update:Test via https://build.suse.de/request/show/36618 openstack-keystone
Fix for Cloud 2.0 is submitted and to SUSE:SLE-11-SP3:Update:Test with https://build.suse.de/request/show/36340 openstack-keystone
Update released for: crowbar, crowbar-barclamp-ceilometer, crowbar-barclamp-ceph, crowbar-barclamp-cinder, crowbar-barclamp-crowbar, crowbar-barclamp-crowbar-devel, crowbar-barclamp-database, crowbar-barclamp-deployer, crowbar-barclamp-dns, crowbar-barclamp-glance, crowbar-barclamp-heat, crowbar-barclamp-ipmi, crowbar-barclamp-keystone, crowbar-barclamp-logging, crowbar-barclamp-network, crowbar-barclamp-neutron, crowbar-barclamp-nfs_client, crowbar-barclamp-nova, crowbar-barclamp-nova_dashboard, crowbar-barclamp-ntp, crowbar-barclamp-pacemaker, crowbar-barclamp-provisioner, crowbar-barclamp-rabbitmq, crowbar-barclamp-suse-manager-client, crowbar-barclamp-swift, crowbar-barclamp-updater, crowbar-devel, haproxy, haproxy-debuginfo, haproxy-debugsource, mongodb, mongodb-devel, openstack-ceilometer, openstack-ceilometer-agent-central, openstack-ceilometer-agent-compute, openstack-ceilometer-alarm-evaluator, openstack-ceilometer-alarm-notifier, openstack-ceilometer-api, openstack-ceilometer-collector, openstack-ceilometer-doc, openstack-ceilometer-test, openstack-dashboard, openstack-dashboard-branding-upstream, openstack-dashboard-test, openstack-keystone, openstack-keystone-doc, openstack-keystone-test, openstack-neutron, openstack-neutron-dhcp-agent, openstack-neutron-doc, openstack-neutron-ha-tool, openstack-neutron-hyperv-agent, openstack-neutron-l3-agent, openstack-neutron-lbaas-agent, openstack-neutron-linuxbridge-agent, openstack-neutron-metadata-agent, openstack-neutron-metering-agent, openstack-neutron-mlnx-agent, openstack-neutron-nec-agent, openstack-neutron-openvswitch-agent, openstack-neutron-plugin-cisco, openstack-neutron-ryu-agent, openstack-neutron-server, openstack-neutron-test, openstack-neutron-vmware-agent, openstack-neutron-vpn-agent, openstack-nova, openstack-nova-api, openstack-nova-cells, openstack-nova-cert, openstack-nova-compute, openstack-nova-conductor, openstack-nova-console, openstack-nova-consoleauth, openstack-nova-doc, openstack-nova-network, openstack-nova-novncproxy, openstack-nova-objectstore, openstack-nova-scheduler, openstack-nova-test, openstack-nova-vncproxy, openstack-resource-agents, openstack-suse, openstack-suse-macros, openstack-suse-sudo, openstack-xen-plugins, patterns-cloud, python-amqp, python-ceilometer, python-heatclient, python-heatclient-doc, python-heatclient-test, python-horizon, python-horizon-branding-upstream, python-keystone, python-neutron, python-neutronclient, python-neutronclient-test, python-nova, python-psycopg2, python-psycopg2-debuginfo, python-psycopg2-debugsource, python-psycopg2-doc, rubygem-bson-1_9, rubygem-bson-1_9-doc, rubygem-mongo, rubygem-mongo-doc, rubygem-mongo-testsuite, susecloud-admin_en-pdf, susecloud-deployment_en-pdf, susecloud-manuals_en, susecloud-user_en-pdf, yast2-crowbar Products: SUSE-CLOUD 3.0 (x86_64)
SUSE-RU-2014:0656-1: An update that solves 5 vulnerabilities and has 15 fixes is now available. Category: recommended (low) Bug References: 840255,847189,861551,863719,865733,869078,869570,870175,870898,871199,871855,872116,872361,872700,872915,873127,874171,874611,874755,876326 CVE References: CVE-2014-0056,CVE-2014-0134,CVE-2014-0157,CVE-2014-0167,CVE-2014-2828 Sources used: SUSE Cloud 3 (src): crowbar-1.7+git.1393415366.c7d7ed2-0.9.1, crowbar-barclamp-ceilometer-1.7+git.1397725532.6562e99-0.11.1, crowbar-barclamp-ceph-1.7+git.1394531703.94bc662-0.7.4, crowbar-barclamp-cinder-1.7+git.1397563537.c0e3c1f-0.7.4, crowbar-barclamp-crowbar-1.7+git.1397546986.0138729-0.7.5, crowbar-barclamp-database-1.7+git.1398437917.4d9d949-0.7.4, crowbar-barclamp-deployer-1.7+git.1395841488.9bd9b18-0.7.4, crowbar-barclamp-dns-1.7+git.1395139533.d8065e0-0.7.4, crowbar-barclamp-glance-1.7+git.1397563542.7f7adbd-0.7.4, crowbar-barclamp-heat-1.7+git.1397563528.5365573-0.7.4, crowbar-barclamp-ipmi-1.7+git.1394447661.823417e-0.7.4, crowbar-barclamp-keystone-1.7+git.1397563548.5e1f6f4-0.7.4, crowbar-barclamp-logging-1.7+git.1394447795.1352678-0.7.4, crowbar-barclamp-network-1.7+git.1397462393.b75b4a2-0.7.4, crowbar-barclamp-neutron-1.7+git.1399280715.7a6d30c-0.7.1, crowbar-barclamp-nfs_client-1.7+git.1394448673.eec60d0-0.7.4, crowbar-barclamp-nova-1.7+git.1397563532.b0a2cf3-0.7.4, crowbar-barclamp-nova_dashboard-1.7+git.1397195786.72f875c-0.7.4, crowbar-barclamp-ntp-1.7+git.1394526594.bd0925a-0.7.4, crowbar-barclamp-pacemaker-1.7+git.1399292086.c9d262e-0.7.1, crowbar-barclamp-provisioner-1.7+git.1398437839.2078a3c-0.7.1, crowbar-barclamp-rabbitmq-1.7+git.1398437927.2b9a534-0.7.4, crowbar-barclamp-suse-manager-client-1.7+git.1394449068.c91f840-0.7.4, crowbar-barclamp-swift-1.7+git.1398348658.e9aadc4-0.7.4, crowbar-barclamp-updater-1.7+git.1394449074.c15a84e-0.7.4, haproxy-1.4.24-0.9.2, mongodb-2.4.3-0.13.1, openstack-ceilometer-2013.2.4.dev3.gd7b0634-0.9.1, openstack-ceilometer-doc-2013.2.4.dev3.gd7b0634-0.9.1, openstack-dashboard-2013.2.3.dev1.g54ec015-0.7.3, openstack-keystone-2013.2.4.dev2.ge7c2987-0.7.3, openstack-keystone-doc-2013.2.4.dev2.ge7c2987-0.7.3, openstack-neutron-2013.2.3.dev38.g1b9ceaf-0.7.3, openstack-neutron-doc-2013.2.3.dev38.g1b9ceaf-0.7.3, openstack-nova-2013.2.4.dev10.g155262c-0.7.3, openstack-nova-doc-2013.2.4.dev10.g155262c-0.7.3, openstack-resource-agents-1.0+git.1392632006.9b9b934-0.7.2, openstack-suse-2013.2-0.11.2, patterns-cloud-20140224-0.21.2, python-amqp-1.2.0-0.9.1, python-heatclient-0.2.6-0.7.2, python-neutronclient-2.3.4-0.7.3, python-psycopg2-2.5.2-0.7.2, rubygem-bson-1_9-1.9.2-0.7.2, rubygem-mongo-1.9.2-0.7.2, susecloud-manuals_en-3.0-0.34.1, yast2-crowbar-2.17.35-0.7.2
Fix was released. Closing bug.