oss-sec mailing list archives
[OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Tue, 09 Dec 2014 14:02:49 -0500
OpenStack Security Advisory: 2014-040 CVE: CVE-2014-8124 Date: December 09, 2014 Title: Horizon denial of service attack through login page Reporter: Eric Peterson (Time Warner Cable) Products: Horizon Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1 Description: Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected. Kilo (development branch) fix: https://review.openstack.org/140353 Juno fix: https://review.openstack.org/140358 Icehouse fix: https://review.openstack.org/140356 django_openstack_auth fix: https://review.openstack.org/140352 Notes: This fix will be included in future 2014.1.3 and 2014.2.1 releases. The django_openstack_auth Horizon dependency requires the additional patch above. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124 https://launchpad.net/bugs/1394370 -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124) Tristan Cacqueray (Dec 09)