CVE-2013-0247 : Keystone denial of service through invalid token requests

OpenStack Security Advisory: 2013-003

CVE: CVE-2013-0247
Date: February 5, 2013
Title: Keystone denial of service through invalid token requests
Reporter: Dan Prince (Red Hat)
Products: Keystone
Affects: All versions

Description:

Dan Prince of Red Hat reported a vulnerability in token creation error
handling in Keystone. By requesting lots of invalid tokens, an
unauthenticated user may fill up logs on Keystone API servers disks,
potentially resulting in a denial of service attack against Keystone.

Grizzly fix:

Folsom fix:

Essex fix:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>