[OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)
OpenStack Security Advisory: 2014-040 CVE: CVE-2014-8124 Date: December 09, 2014 Title: Horizon denial of service attack through login page Reporter: Eric Peterson (Time Warner Cable) Products: Horizon Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
Description: Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected.
Kilo (development branch) fix: https://review.openstack.org/140353
Juno fix: https://review.openstack.org/140358
Icehouse fix: https://review.openstack.org/140356
django_openstack_auth fix: https://review.openstack.org/140352
Notes: This fix will be included in future 2014.1.3 and 2014.2.1 releases. The django_openstack_auth Horizon dependency requires the additional patch above.
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124 https://launchpad.net/bugs/1394370
participants (1)
-
Tristan Cacqueray