| 2015-09-08 10:12:20 |
Örjan Fors |
bug |
|
|
added bug |
| 2015-09-17 08:53:39 |
James Page |
bug task added |
|
swift |
|
| 2015-09-17 08:53:46 |
James Page |
cloud-archive: importance |
Undecided |
Critical |
|
| 2015-09-17 08:53:49 |
James Page |
cloud-archive: importance |
Critical |
High |
|
| 2015-09-17 08:55:06 |
James Page |
bug task added |
|
swift (Ubuntu) |
|
| 2015-09-17 08:55:32 |
James Page |
swift (Ubuntu): importance |
Undecided |
High |
|
| 2015-09-17 13:01:05 |
Jeremy Stanley |
bug |
|
|
added subscriber Swift Core security contacts |
| 2015-09-17 13:01:19 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2015-09-17 13:01:31 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2015-09-17 13:01:56 |
Jeremy Stanley |
description |
It looks like the Swift proxy will leak memory if the connection is closed and the full response is not read. This opens for a potential DoS attacks.
Reproduce:
$ swift -A http://localhost:8888/auth/v1.0 -U .. -K .. upload --use-slo --segment-size 1048576 <container> <big-file>
$ curl -H'X-Auth-Token: AUTH_...' "http://localhost:8888/v1/AUTH_../<container>/<big-file>" -m 0.001 > /dev/null
Repeat the curl command a couple of times and you will have more information in netstat and sockstat. The important part is the -m which sets the max time curl spends at downloading. After that point, it'll close the connection.
$ sudo netstat -ant -p | grep :6000
$ cat /proc/net/sockstat
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 1358/python
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48350 FIN_WAIT1 -
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48882 FIN_WAIT1 -
tcp 939820 0 127.0.0.1:48350 127.0.0.1:6000 ESTABLISHED 17897/python
tcp 939820 0 127.0.0.1:48882 127.0.0.1:6000 ESTABLISHED 17890/python
tcp 983041 0 127.0.0.1:48191 127.0.0.1:6000 CLOSE_WAIT 17897/python
tcp 983041 0 127.0.0.1:48948 127.0.0.1:6000 CLOSE_WAIT 17892/python
Restarting the proxy frees up the lingering memory.
This problem did not exist in 2.2.0.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: swift 2.2.2-0ubuntu1~cloud0 [origin: Canonical]
ProcVersionSignature: Ubuntu 3.16.0-48.64~14.04.1-generic 3.16.7-ckt15
Uname: Linux 3.16.0-48-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.12
Architecture: amd64
CrashDB:
{
"impl": "launchpad",
"project": "cloud-archive",
"bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
}
Date: Tue Sep 8 09:55:05 2015
InstallationDate: Installed on 2015-06-22 (77 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
PackageArchitecture: all
SourcePackage: swift
UpgradeStatus: No upgrade log present (probably fresh install) |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
It looks like the Swift proxy will leak memory if the connection is closed and the full response is not read. This opens for a potential DoS attacks.
Reproduce:
$ swift -A http://localhost:8888/auth/v1.0 -U .. -K .. upload --use-slo --segment-size 1048576 <container> <big-file>
$ curl -H'X-Auth-Token: AUTH_...' "http://localhost:8888/v1/AUTH_../<container>/<big-file>" -m 0.001 > /dev/null
Repeat the curl command a couple of times and you will have more information in netstat and sockstat. The important part is the -m which sets the max time curl spends at downloading. After that point, it'll close the connection.
$ sudo netstat -ant -p | grep :6000
$ cat /proc/net/sockstat
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 1358/python
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48350 FIN_WAIT1 -
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48882 FIN_WAIT1 -
tcp 939820 0 127.0.0.1:48350 127.0.0.1:6000 ESTABLISHED 17897/python
tcp 939820 0 127.0.0.1:48882 127.0.0.1:6000 ESTABLISHED 17890/python
tcp 983041 0 127.0.0.1:48191 127.0.0.1:6000 CLOSE_WAIT 17897/python
tcp 983041 0 127.0.0.1:48948 127.0.0.1:6000 CLOSE_WAIT 17892/python
Restarting the proxy frees up the lingering memory.
This problem did not exist in 2.2.0.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: swift 2.2.2-0ubuntu1~cloud0 [origin: Canonical]
ProcVersionSignature: Ubuntu 3.16.0-48.64~14.04.1-generic 3.16.7-ckt15
Uname: Linux 3.16.0-48-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.12
Architecture: amd64
CrashDB:
{
"impl": "launchpad",
"project": "cloud-archive",
"bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
}
Date: Tue Sep 8 09:55:05 2015
InstallationDate: Installed on 2015-06-22 (77 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
PackageArchitecture: all
SourcePackage: swift
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2015-10-13 21:51:37 |
clayg |
bug |
|
|
added subscriber Tim Burke |
| 2015-11-16 11:05:23 |
Örjan Fors |
bug |
|
|
added subscriber Andreas Andersen |
| 2015-11-16 16:57:01 |
Andreas Andersen |
attachment added |
|
leakreproducer.sh https://bugs.launchpad.net/cloud-archive/+bug/1493303/+attachment/4520199/+files/leakreproducer.sh |
|
| 2015-11-19 14:59:17 |
Launchpad Janitor |
swift (Ubuntu): status |
New |
Confirmed |
|
| 2015-12-02 16:44:28 |
John Dickinson |
swift: status |
New |
Confirmed |
|
| 2015-12-04 02:02:11 |
Samuel Merritt |
attachment added |
|
leakpatch-1.diff https://bugs.launchpad.net/cloud-archive/+bug/1493303/+attachment/4529331/+files/leakpatch-1.diff |
|
| 2015-12-07 06:00:23 |
Kota Tsuyuzaki |
attachment added |
|
security_leak_fix.diff https://bugs.launchpad.net/swift/+bug/1493303/+attachment/4530760/+files/security_leak_fix.diff |
|
| 2015-12-07 15:27:49 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
| 2015-12-09 20:22:59 |
Samuel Merritt |
attachment added |
|
socket-leak-2.diff https://bugs.launchpad.net/cloud-archive/+bug/1493303/+attachment/4532159/+files/socket-leak-2.diff |
|
| 2015-12-09 20:59:32 |
Tristan Cacqueray |
bug |
|
|
added subscriber Romain LE DISEZ |
| 2015-12-15 01:18:09 |
John Dickinson |
swift: importance |
Undecided |
Critical |
|
| 2016-01-08 02:18:59 |
Samuel Merritt |
attachment added |
|
socket-leak-3.diff https://bugs.launchpad.net/cloud-archive/+bug/1493303/+attachment/4545988/+files/socket-leak-3.diff |
|
| 2016-01-08 18:15:21 |
Samuel Merritt |
attachment added |
|
socket-leak-4.diff https://bugs.launchpad.net/cloud-archive/+bug/1493303/+attachment/4546358/+files/socket-leak-4.diff |
|
| 2016-01-13 02:03:30 |
Samuel Merritt |
attachment added |
|
socket-leak-kilo-backport.diff https://bugs.launchpad.net/cloud-archive/+bug/1493303/+attachment/4548894/+files/socket-leak-kilo-backport.diff |
|
| 2016-01-13 02:03:52 |
Samuel Merritt |
attachment added |
|
socket-leak-liberty-backport.diff https://bugs.launchpad.net/cloud-archive/+bug/1493303/+attachment/4548896/+files/socket-leak-liberty-backport.diff |
|
| 2016-01-14 14:13:44 |
Tristan Cacqueray |
ossa: status |
Confirmed |
In Progress |
|
| 2016-01-14 14:58:46 |
Tristan Cacqueray |
summary |
Swift proxy memory leak on unfinished read |
Swift proxy memory leak on unfinished read (CVE-2016-0738) |
|
| 2016-01-14 14:58:53 |
Tristan Cacqueray |
cve linked |
|
2016-0738 |
|
| 2016-01-14 16:18:17 |
Alistair Coles |
attachment added |
|
socket-leak-kilo-backport-2.diff https://bugs.launchpad.net/swift/+bug/1493303/+attachment/4549968/+files/socket-leak-kilo-backport-2.diff |
|
| 2016-01-14 17:48:41 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
| 2016-01-20 14:59:18 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
It looks like the Swift proxy will leak memory if the connection is closed and the full response is not read. This opens for a potential DoS attacks.
Reproduce:
$ swift -A http://localhost:8888/auth/v1.0 -U .. -K .. upload --use-slo --segment-size 1048576 <container> <big-file>
$ curl -H'X-Auth-Token: AUTH_...' "http://localhost:8888/v1/AUTH_../<container>/<big-file>" -m 0.001 > /dev/null
Repeat the curl command a couple of times and you will have more information in netstat and sockstat. The important part is the -m which sets the max time curl spends at downloading. After that point, it'll close the connection.
$ sudo netstat -ant -p | grep :6000
$ cat /proc/net/sockstat
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 1358/python
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48350 FIN_WAIT1 -
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48882 FIN_WAIT1 -
tcp 939820 0 127.0.0.1:48350 127.0.0.1:6000 ESTABLISHED 17897/python
tcp 939820 0 127.0.0.1:48882 127.0.0.1:6000 ESTABLISHED 17890/python
tcp 983041 0 127.0.0.1:48191 127.0.0.1:6000 CLOSE_WAIT 17897/python
tcp 983041 0 127.0.0.1:48948 127.0.0.1:6000 CLOSE_WAIT 17892/python
Restarting the proxy frees up the lingering memory.
This problem did not exist in 2.2.0.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: swift 2.2.2-0ubuntu1~cloud0 [origin: Canonical]
ProcVersionSignature: Ubuntu 3.16.0-48.64~14.04.1-generic 3.16.7-ckt15
Uname: Linux 3.16.0-48-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.12
Architecture: amd64
CrashDB:
{
"impl": "launchpad",
"project": "cloud-archive",
"bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
}
Date: Tue Sep 8 09:55:05 2015
InstallationDate: Installed on 2015-06-22 (77 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
PackageArchitecture: all
SourcePackage: swift
UpgradeStatus: No upgrade log present (probably fresh install) |
It looks like the Swift proxy will leak memory if the connection is closed and the full response is not read. This opens for a potential DoS attacks.
Reproduce:
$ swift -A http://localhost:8888/auth/v1.0 -U .. -K .. upload --use-slo --segment-size 1048576 <container> <big-file>
$ curl -H'X-Auth-Token: AUTH_...' "http://localhost:8888/v1/AUTH_../<container>/<big-file>" -m 0.001 > /dev/null
Repeat the curl command a couple of times and you will have more information in netstat and sockstat. The important part is the -m which sets the max time curl spends at downloading. After that point, it'll close the connection.
$ sudo netstat -ant -p | grep :6000
$ cat /proc/net/sockstat
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 1358/python
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48350 FIN_WAIT1 -
tcp 0 43221 127.0.0.1:6000 127.0.0.1:48882 FIN_WAIT1 -
tcp 939820 0 127.0.0.1:48350 127.0.0.1:6000 ESTABLISHED 17897/python
tcp 939820 0 127.0.0.1:48882 127.0.0.1:6000 ESTABLISHED 17890/python
tcp 983041 0 127.0.0.1:48191 127.0.0.1:6000 CLOSE_WAIT 17897/python
tcp 983041 0 127.0.0.1:48948 127.0.0.1:6000 CLOSE_WAIT 17892/python
Restarting the proxy frees up the lingering memory.
This problem did not exist in 2.2.0.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: swift 2.2.2-0ubuntu1~cloud0 [origin: Canonical]
ProcVersionSignature: Ubuntu 3.16.0-48.64~14.04.1-generic 3.16.7-ckt15
Uname: Linux 3.16.0-48-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.12
Architecture: amd64
CrashDB:
{
"impl": "launchpad",
"project": "cloud-archive",
"bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
}
Date: Tue Sep 8 09:55:05 2015
InstallationDate: Installed on 2015-06-22 (77 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
PackageArchitecture: all
SourcePackage: swift
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2016-01-20 14:59:24 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
| 2016-01-20 15:00:01 |
Tristan Cacqueray |
summary |
Swift proxy memory leak on unfinished read (CVE-2016-0738) |
[OSSA 2016-004] Swift proxy memory leak on unfinished read (CVE-2016-0738) |
|
| 2016-01-20 16:21:54 |
Ubuntu Foundations Team Bug Bot |
tags |
amd64 apport-bug third-party-packages trusty |
amd64 apport-bug patch third-party-packages trusty |
|
| 2016-01-20 16:22:01 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2016-01-22 03:39:59 |
OpenStack Infra |
tags |
amd64 apport-bug patch third-party-packages trusty |
amd64 apport-bug in-stable-kilo patch third-party-packages trusty |
|
| 2016-01-22 03:41:02 |
OpenStack Infra |
tags |
amd64 apport-bug in-stable-kilo patch third-party-packages trusty |
amd64 apport-bug in-stable-kilo in-stable-liberty patch third-party-packages trusty |
|
| 2016-01-22 03:41:10 |
OpenStack Infra |
swift: status |
Confirmed |
Fix Released |
|
| 2016-01-25 15:01:08 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
| 2016-01-26 14:14:54 |
OpenStack Infra |
tags |
amd64 apport-bug in-stable-kilo in-stable-liberty patch third-party-packages trusty |
amd64 apport-bug in-feature-crypto in-stable-kilo in-stable-liberty patch third-party-packages trusty |
|
| 2016-01-28 16:41:18 |
OpenStack Infra |
cve linked |
|
2016-0737 |
|
| 2016-02-03 09:24:37 |
Jason Pereira |
bug |
|
|
added subscriber Jason Pereira |
| 2016-02-16 09:13:49 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
| 2016-03-08 23:31:34 |
OpenStack Infra |
tags |
amd64 apport-bug in-feature-crypto in-stable-kilo in-stable-liberty patch third-party-packages trusty |
amd64 apport-bug in-feature-crypto in-feature-hummingbird in-stable-kilo in-stable-liberty patch third-party-packages trusty |
|
| 2016-06-03 13:51:29 |
Pratap D |
swift (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2016-06-03 13:54:18 |
Pratap D |
bug |
|
|
added subscriber Pratap D |
| 2016-06-03 15:51:01 |
James Page |
swift (Ubuntu): status |
Fix Released |
Confirmed |
|
| 2016-06-10 10:09:33 |
James Page |
nominated for series |
|
Ubuntu Wily |
|
| 2016-06-10 10:09:33 |
James Page |
bug task added |
|
swift (Ubuntu Wily) |
|
| 2016-06-10 10:09:33 |
James Page |
nominated for series |
|
Ubuntu Vivid |
|
| 2016-06-10 10:09:33 |
James Page |
bug task added |
|
swift (Ubuntu Vivid) |
|
| 2016-06-10 10:09:33 |
James Page |
nominated for series |
|
Ubuntu Yakkety |
|
| 2016-06-10 10:09:33 |
James Page |
bug task added |
|
swift (Ubuntu Yakkety) |
|
| 2016-06-10 10:09:33 |
James Page |
nominated for series |
|
Ubuntu Trusty |
|
| 2016-06-10 10:09:33 |
James Page |
bug task added |
|
swift (Ubuntu Trusty) |
|
| 2016-06-10 10:09:33 |
James Page |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-06-10 10:09:33 |
James Page |
bug task added |
|
swift (Ubuntu Xenial) |
|
| 2016-06-10 10:09:43 |
James Page |
swift (Ubuntu Yakkety): status |
Confirmed |
Fix Released |
|
| 2016-06-10 10:09:47 |
James Page |
swift (Ubuntu Xenial): status |
New |
Fix Released |
|
| 2016-06-10 10:09:53 |
James Page |
swift (Ubuntu Wily): status |
New |
Triaged |
|
| 2016-06-10 10:09:56 |
James Page |
swift (Ubuntu Vivid): status |
New |
Won't Fix |
|
| 2016-06-10 10:09:59 |
James Page |
swift (Ubuntu Trusty): status |
New |
Triaged |
|
| 2016-06-10 10:10:22 |
James Page |
nominated for series |
|
cloud-archive/kilo |
|
| 2016-06-10 10:10:22 |
James Page |
bug task added |
|
cloud-archive/kilo |
|
| 2016-06-10 10:10:22 |
James Page |
nominated for series |
|
cloud-archive/mitaka |
|
| 2016-06-10 10:10:22 |
James Page |
bug task added |
|
cloud-archive/mitaka |
|
| 2016-06-10 10:10:22 |
James Page |
nominated for series |
|
cloud-archive/icehouse |
|
| 2016-06-10 10:10:22 |
James Page |
bug task added |
|
cloud-archive/icehouse |
|
| 2016-06-10 10:10:22 |
James Page |
nominated for series |
|
cloud-archive/liberty |
|
| 2016-06-10 10:10:22 |
James Page |
bug task added |
|
cloud-archive/liberty |
|
| 2016-06-10 10:10:32 |
James Page |
cloud-archive/mitaka: status |
New |
Fix Released |
|
| 2016-06-10 10:11:31 |
James Page |
cloud-archive/kilo: status |
New |
Triaged |
|
| 2016-06-10 10:11:57 |
James Page |
cloud-archive/icehouse: status |
New |
Triaged |
|
| 2016-06-10 10:12:10 |
James Page |
cloud-archive/liberty: status |
New |
Triaged |
|
| 2016-06-10 12:03:41 |
James Page |
bug task deleted |
swift (Ubuntu Vivid) |
|
|
| 2016-09-08 09:39:19 |
James Page |
cloud-archive: status |
New |
Invalid |
|
| 2016-09-08 09:41:16 |
James Page |
swift (Ubuntu Wily): status |
Triaged |
Won't Fix |
|
| 2016-09-08 09:41:30 |
James Page |
swift (Ubuntu Trusty): status |
Triaged |
Won't Fix |
|
| 2016-09-08 09:41:51 |
James Page |
swift (Ubuntu Trusty): status |
Won't Fix |
New |
|
| 2016-09-08 09:42:14 |
James Page |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2016-09-08 09:43:20 |
James Page |
swift (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2020-07-06 20:07:06 |
Eduardo Barretto |
cve linked |
|
2015-5223 |
|
| 2020-07-06 20:07:06 |
Eduardo Barretto |
swift (Ubuntu Trusty): status |
New |
Fix Released |
|
| 2020-07-07 07:36:37 |
Chris MacNaughton |
cloud-archive/icehouse: status |
Triaged |
Won't Fix |
|
| 2020-07-07 07:36:49 |
Chris MacNaughton |
cloud-archive/kilo: status |
Triaged |
Won't Fix |
|
| 2020-07-07 07:37:01 |
Chris MacNaughton |
cloud-archive/liberty: status |
Triaged |
Won't Fix |
|
