oss-sec mailing list archives
[OSSA 2014-013] Keystone DoS through V3 API authentication chaining (CVE-2014-2828)
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Thu, 10 Apr 2014 22:31:24 +0200
OpenStack Security Advisory: 2014-013 CVE: CVE-2014-2828 Date: April 10, 2014 Title: Keystone DoS through V3 API authentication chaining Reporter: Abu Shohel Ahmed (Ericsson) Products: Keystone Versions: from 2013.1 to 2013.2.3 Description: Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected. Juno (development branch) fix: https://review.openstack.org/84425 Icehouse (milestone-proposed branch) fix: https://review.openstack.org/84735 Havana fix: https://review.openstack.org/86024 Notes: This fix is included in the icehouse-rc2 development milestone and will be included in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2828 https://launchpad.net/bugs/1300274 -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA 2014-013] Keystone DoS through V3 API authentication chaining (CVE-2014-2828) Tristan Cacqueray (Apr 10)