[openstack-announce] [OSSA 2014-013] Keystone DoS through V3 API authentication chaining (CVE-2014-2828)

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Apr 10 20:31:11 UTC 2014


OpenStack Security Advisory: 2014-013
CVE: CVE-2014-2828
Date: April 10, 2014
Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: from 2013.1 to 2013.2.3

Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3
API authentication. By sending a single request with the same
authentication method multiple times, a remote attacker may generate
unwanted load on the Keystone host, potentially resulting in a Denial of
Service against a Keystone service. Only Keystone setups enabling V3 API
are affected.

Juno (development branch) fix:
https://review.openstack.org/84425

Icehouse (milestone-proposed branch) fix:
https://review.openstack.org/84735

Havana fix:
https://review.openstack.org/86024

Notes:
This fix is included in the icehouse-rc2 development milestone and will
be included in a future 2013.2.4 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2828
https://launchpad.net/bugs/1300274

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140410/e2f997fd/attachment.pgp>


More information about the OpenStack-announce mailing list