[openstack-announce] [OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)

Tristan Cacqueray tristan.cacqueray at enovance.com
Tue Dec 9 19:02:32 UTC 2014


OpenStack Security Advisory: 2014-040
CVE: CVE-2014-8124
Date: December 09, 2014
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.

Kilo (development branch) fix:
https://review.openstack.org/140353

Juno fix:
https://review.openstack.org/140358

Icehouse fix:
https://review.openstack.org/140356

django_openstack_auth fix:
https://review.openstack.org/140352

Notes:
This fix will be included in future 2014.1.3 and 2014.2.1 releases.
The django_openstack_auth Horizon dependency requires the additional
patch above.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124
https://launchpad.net/bugs/1394370

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20141209/e475c933/attachment.pgp>


More information about the OpenStack-announce mailing list