OpenStack Security Advisory: 2014-013 CVE: CVE-2014-2828 Date: April 10, 2014 Title: Keystone DoS through V3 API authentication chaining Reporter: Abu Shohel Ahmed (Ericsson) Products: Keystone Versions: from 2013.1 to 2013.2.3 Description: Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected. Juno (development branch) fix: https://review.openstack.org/84425 Icehouse (milestone-proposed branch) fix: https://review.openstack.org/84735 Havana fix: https://review.openstack.org/86024 Notes: This fix is included in the icehouse-rc2 development milestone and will be included in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2828 https://launchpad.net/bugs/1300274 -- Tristan Cacqueray OpenStack Vulnerability Management Team