Comment 32 for bug 1493303

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Swift proxy memory leak on unfinished read

It seems like both leaks (proxy to server and client to proxy) have been reported on former bug 1466549. I've subscribed the original reporter.

Örjan, I can't find your affiliation, if you want to credit your current employer, please let me know.

Here is the impact description to cover both bugs (which will likely get two different CVE):

Title: Swift proxy-server DoS through Large Object
Reporter: Romain LE DISEZ (OVH), Örjan Persson
Products: Swift
Affects: client-proxy: < 2.4.0 (Liberty)
      proxy-server: =< 2.5.0 (Liberty included)

Romain LE DISEZ from OVH and Örjan Persson independently reported two vulnerabilities in Swift Large Object. By repeatedly requesting and interrupting connections to a Large Object (Dynamic or Static) URL, a remote attacker may exhausts Swift proxy-server resources, potentially resulting in a denial of service. Note that there are two distinct bugs that can exhaust proxy resources, one for client connection (client to proxy), one for servers connection (proxy to server). All Swift setup are affected.