[OSSA-2016-004] Swift proxy-server DoS through Large Object (CVE-2016-0737, CVE-2016-0738)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Alexey Stupnikov | ||
5.1.x |
Invalid
|
High
|
Alexey Stupnikov | ||
6.0.x |
Invalid
|
High
|
Alexey Stupnikov | ||
6.1.x |
Invalid
|
High
|
Alexey Stupnikov | ||
7.0.x |
Fix Released
|
High
|
Alexey Stupnikov | ||
8.0.x |
Fix Released
|
High
|
Alexey Stupnikov | ||
9.x |
Fix Released
|
High
|
MOS Swift |
Bug Description
Problem description:
By repeatedly requesting and interrupting connections to a Large Object (Dynamic or
Static) URL, a remote attacker may exhausts Swift proxy-server
resources, potentially resulting in a denial of service. Note that there
are two distinct bugs that can exhaust proxy resources, one for client
connection (client to proxy), one for servers connection (proxy to
server). All Swift setup are affected.
Upstream bug reports:
https:/
https:/
Upstream patches:
Mitaka:
https:/
Liberty:
https:/
Kilo:
https:/
https:/
tags: | added: area-swift |
tags: | added: on-verification |
tags: | added: on-verification |
information type: | Private Security → Public Security |
tags: | added: on-verification |
Moving to -updates milestones for 7.0/6.1/6.0/5.1.1 - waiting for the fix in 8.0/9.0.