OpenStack Security Advisory: 2014-040 CVE: CVE-2014-8124 Date: December 09, 2014 Title: Horizon denial of service attack through login page Reporter: Eric Peterson (Time Warner Cable) Products: Horizon Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1 Description: Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected. Kilo (development branch) fix: https://review.openstack.org/140353 Juno fix: https://review.openstack.org/140358 Icehouse fix: https://review.openstack.org/140356 django_openstack_auth fix: https://review.openstack.org/140352 Notes: This fix will be included in future 2014.1.3 and 2014.2.1 releases. The django_openstack_auth Horizon dependency requires the additional patch above. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124 https://launchpad.net/bugs/1394370 -- Tristan Cacqueray OpenStack Vulnerability Management Team