Comment 0 for bug 1549855

This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.

--

Reported by private mail:

Dear Openstack,

The following information pertains to information discovered by Fortinet's
FortiGuard Labs. It has been determined that a vulnerability exists in
Openstack. To streamline the disclosure process, we have created a
preliminary advisory which you can find below. This upcoming advisory is
purely intended as a reference, and does not contain sensitive information
such as proof of concept code.

As a mature corporation involved in security research, we strive to
responsibly disclose vulnerability information. We will not post an advisory
until we determine it is appropriate to do so in co-ordination with the
vendor unless a resolution cannot be reached. We will not disclose full
proof of concept, only details relevant to the advisory.

We look forward to working closely with you to resolve this issue, and
kindly ask for your co-operation during this time. Please let us know if you
have any further questions, and we will promptly respond to address any
issues.

Type of Vulnerability & Repercussions:
  DoS

Affected Software:
  Ubuntu 14.04.3 with latest repository installed
  # apt-get install software-properties-common
  # add-apt-repository cloud-archive:liberty

Upcoming Advisory Reference:
  http://www.fortiguard.com/advisory/UpcomingAdvisories.html

Credits:
  This vulnerability was discovered by Fortinet's FortiGuard Labs.

Proof of Concept/How to Reproduce:
    The vulnerability exists in Openstack server when dealing with many HTTP GET requests in a single connection. Please check PoC glance_large_request_2.txt. It's a single file containing many long HTTP GET requests. When you run "nc.exe Openstack_IP 9292 < glance_large_request_2.txt" on Windows, Openstack glance server deals with all HTTP requests in a single connection and records them in log file(/var/log/glance/glance-api.log). Run this PoC once, then Openstack generates about 140M log file. To re-produce the DoS issue, you can run the PoC multiple times until Openstack controller node space is exhausted.

  The vulnerability has high impact because it consumes the log space via a single connection. As we know, Apache also records full URLs in log file, but in order to consume its space, hundreds or thousands connections with long URL should be created. This behavour is easily detected and prevented. But in this PoC, it only needs one connection to server.

  The attack doesn't need authentication.

Additional Information:
  Extract from glance_large_request:
GET /v2/images/cirros/file?test=$(python -c 'print "A"*6744')&quot;%22%u0022&lt;<script>alert(5)</script>&gt; HTTP/1.1