Title: Swift proxy-server DoS through Large Object
Reporter: Romain LE DISEZ (OVH), Ã\226rjan Persson (Kiliaro)
Products: Swift
Affects: CVE-2016-0737: >=2.2.1 <= 2.3.0
         CVE-2016-0738: >=2.2.1 <= 2.3.0, >= 2.4.0 <= 2.5.0

Description:
Romain LE DISEZ from OVH and Ã\226rjan Persson from Kiliaro independently
reported two vulnerabilities in Swift Large Object. By repeatedly
requesting and interrupting connections to a Large Object (Dynamic or
Static) URL, a remote attacker may exhausts Swift proxy-server
resources, potentially resulting in a denial of service. Note that there
are two distinct bugs that can exhaust proxy resources, one for client
connection (client to proxy CVE-2016-0737), one for servers connection
(proxy to server CVE-2016-0738). All Swift setups are affected.

Proposed patch:
See attached patches for CVE-2016-0738. Unless a flaw is discovered in
them, these patches will be merged to master/mitaka, stable/liberty and
stable/kilo on the public disclosure date.
For CVE-2016-0737, the stable/kilo patch is available here:
- https://review.openstack.org/#/c/217750/

CVE: CVE-2016-0737, CVE-2016-0738

CRD: 2016-01-20 1500 UTC