[OSSA 2016-004] Download DLO objects leak connections when client kill connection (CVE-2016-0737)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When a client is downloading a DLO object, if it interrupts its connection, the proxy does not close the connection to the object server
From my test, this bug impacts versions 1.10, 2.2.2 and master.
I flag this bug security vulnerability because it makes it easy to do a DoS on a proxy-server. It's actually what's happening to us because one of our user do VoD. It uses DLO a lot and close connections when his customers stop watching video.
How to reproduce on a fresh SAIO, with processes just started:
1. Upload an object in DLO
$ dd if=/dev/zero of=2x1G bs=1M count=2048
$ swift -A http://
$ swift -A http://
2. In an other terminal, watch connections between proxy-server and object-server:
$ watch -n 1 "netstat -tapn | grep -E ':60[1-4]0' | grep ESTA"
(For now, you should see no connections)
3. Start to download the object, but stop it before the end (eg: CTRL+C)
$ swift -A http://
(Now, you should see one connection)
4. Repeat step 3 and observe the connections stacking
Changed in swift: | |
status: | New → Fix Committed |
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in swift: | |
milestone: | none → 2.4.0 |
status: | Fix Committed → Fix Released |
summary: |
Download DLO objects leak connections when client kill connection + (CVE-2016-0737) |
summary: |
- Download DLO objects leak connections when client kill connection - (CVE-2016-0737) + [OSSA 2016-004] Download DLO objects leak connections when client kill + connection (CVE-2016-0737) |
Changed in ossa: | |
status: | Confirmed → Fix Released |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.