OSSA-2014-040: Horizon denial of service attack through login page

Date:

December 09, 2014

CVE:

CVE-2014-8124

Affects

  • Horizon: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description

Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected.

Patches

Credits

  • Eric Peterson from Time Warner Cable (CVE-2014-8124)

References

Notes

  • This fix will be included in future 2014.1.3 and 2014.2.1 releases.

  • The django_openstack_auth Horizon dependency requires the additional patch above.