[OSSA 2014-013] Keystone DoS through V3 API authentication chaining (CVE-2014-2828)

[Tristan Cacqueray <tristan.cacqueray () enovance com>]

OpenStack Security Advisory: 2014-013
CVE: CVE-2014-2828
Date: April 10, 2014
Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: from 2013.1 to 2013.2.3

Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3
API authentication. By sending a single request with the same
authentication method multiple times, a remote attacker may generate
unwanted load on the Keystone host, potentially resulting in a Denial of
Service against a Keystone service. Only Keystone setups enabling V3 API
are affected.

Juno (development branch) fix:
https://review.openstack.org/84425

Icehouse (milestone-proposed branch) fix:
https://review.openstack.org/84735

Havana fix:
https://review.openstack.org/86024

Notes:
This fix is included in the icehouse-rc2 development milestone and will
be included in a future 2013.2.4 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2828
https://launchpad.net/bugs/1300274

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature