[openstack-announce] [OSSA 2014-013] Keystone DoS through V3 API authentication chaining (CVE-2014-2828)

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Apr 10 20:31:11 UTC 2014

OpenStack Security Advisory: 2014-013
CVE: CVE-2014-2828
Date: April 10, 2014
Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: from 2013.1 to 2013.2.3

Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3
API authentication. By sending a single request with the same
authentication method multiple times, a remote attacker may generate
unwanted load on the Keystone host, potentially resulting in a Denial of
Service against a Keystone service. Only Keystone setups enabling V3 API
are affected.

Juno (development branch) fix:

Icehouse (milestone-proposed branch) fix:

Havana fix:

This fix is included in the icehouse-rc2 development milestone and will
be included in a future 2013.2.4 release.


Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140410/e2f997fd/attachment.pgp>

More information about the OpenStack-announce mailing list