[Bug 1493303] Re: Swift proxy memory leak on unfinished read (CVE-2016-0738)

Tristan Cacqueray tdecacqu at redhat.com
Wed Jan 20 14:59:18 UTC 2016


** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  It looks like the Swift proxy will leak memory if the connection is
  closed and the full response is not read. This opens for a potential DoS
  attacks.
  
  Reproduce:
  
  $ swift -A http://localhost:8888/auth/v1.0 -U .. -K .. upload --use-slo --segment-size 1048576 <container> <big-file>
  $ curl -H'X-Auth-Token: AUTH_...' "http://localhost:8888/v1/AUTH_../<container>/<big-file>" -m 0.001 > /dev/null
  
  Repeat the curl command a couple of times and you will have more
  information in netstat and sockstat. The important part is the -m which
  sets the max time curl spends at downloading. After that point, it'll
  close the connection.
  
  $ sudo netstat -ant -p | grep :6000
  $ cat /proc/net/sockstat
  
  tcp        0      0 127.0.0.1:6000          0.0.0.0:*               LISTEN      1358/python
  tcp        0  43221 127.0.0.1:6000          127.0.0.1:48350         FIN_WAIT1   -
  tcp        0  43221 127.0.0.1:6000          127.0.0.1:48882         FIN_WAIT1   -
  tcp   939820      0 127.0.0.1:48350         127.0.0.1:6000          ESTABLISHED 17897/python
  tcp   939820      0 127.0.0.1:48882         127.0.0.1:6000          ESTABLISHED 17890/python
  tcp   983041      0 127.0.0.1:48191         127.0.0.1:6000          CLOSE_WAIT  17897/python
  tcp   983041      0 127.0.0.1:48948         127.0.0.1:6000          CLOSE_WAIT  17892/python
  
  Restarting the proxy frees up the lingering memory.
  
  This problem did not exist in 2.2.0.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: swift 2.2.2-0ubuntu1~cloud0 [origin: Canonical]
  ProcVersionSignature: Ubuntu 3.16.0-48.64~14.04.1-generic 3.16.7-ckt15
  Uname: Linux 3.16.0-48-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.12
  Architecture: amd64
  CrashDB:
   {
                  "impl": "launchpad",
                  "project": "cloud-archive",
                  "bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
               }
  Date: Tue Sep  8 09:55:05 2015
  InstallationDate: Installed on 2015-06-22 (77 days ago)
  InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
  PackageArchitecture: all
  SourcePackage: swift
  UpgradeStatus: No upgrade log present (probably fresh install)

** Information type changed from Private Security to Public Security

** Summary changed:

- Swift proxy memory leak on unfinished read (CVE-2016-0738)
+ [OSSA 2016-004] Swift proxy memory leak on unfinished read (CVE-2016-0738)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to swift in Ubuntu.
https://bugs.launchpad.net/bugs/1493303

Title:
  [OSSA 2016-004] Swift proxy memory leak on unfinished read
  (CVE-2016-0738)

Status in Ubuntu Cloud Archive:
  New
Status in OpenStack Security Advisory:
  Fix Committed
Status in OpenStack Object Storage (swift):
  Confirmed
Status in swift package in Ubuntu:
  Confirmed

Bug description:
  It looks like the Swift proxy will leak memory if the connection is
  closed and the full response is not read. This opens for a potential
  DoS attacks.

  Reproduce:

  $ swift -A http://localhost:8888/auth/v1.0 -U .. -K .. upload --use-slo --segment-size 1048576 <container> <big-file>
  $ curl -H'X-Auth-Token: AUTH_...' "http://localhost:8888/v1/AUTH_../<container>/<big-file>" -m 0.001 > /dev/null

  Repeat the curl command a couple of times and you will have more
  information in netstat and sockstat. The important part is the -m
  which sets the max time curl spends at downloading. After that point,
  it'll close the connection.

  $ sudo netstat -ant -p | grep :6000
  $ cat /proc/net/sockstat

  tcp        0      0 127.0.0.1:6000          0.0.0.0:*               LISTEN      1358/python
  tcp        0  43221 127.0.0.1:6000          127.0.0.1:48350         FIN_WAIT1   -
  tcp        0  43221 127.0.0.1:6000          127.0.0.1:48882         FIN_WAIT1   -
  tcp   939820      0 127.0.0.1:48350         127.0.0.1:6000          ESTABLISHED 17897/python
  tcp   939820      0 127.0.0.1:48882         127.0.0.1:6000          ESTABLISHED 17890/python
  tcp   983041      0 127.0.0.1:48191         127.0.0.1:6000          CLOSE_WAIT  17897/python
  tcp   983041      0 127.0.0.1:48948         127.0.0.1:6000          CLOSE_WAIT  17892/python

  Restarting the proxy frees up the lingering memory.

  This problem did not exist in 2.2.0.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: swift 2.2.2-0ubuntu1~cloud0 [origin: Canonical]
  ProcVersionSignature: Ubuntu 3.16.0-48.64~14.04.1-generic 3.16.7-ckt15
  Uname: Linux 3.16.0-48-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.12
  Architecture: amd64
  CrashDB:
   {
                  "impl": "launchpad",
                  "project": "cloud-archive",
                  "bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
               }
  Date: Tue Sep  8 09:55:05 2015
  InstallationDate: Installed on 2015-06-22 (77 days ago)
  InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
  PackageArchitecture: all
  SourcePackage: swift
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1493303/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list