OSSA-2014-013: Keystone DoS through V3 API authentication chaining

OSSA-2014-013: Keystone DoS through V3 API authentication chaining¶

Date:: April 10, 2014
CVE:: CVE-2014-2828

Affects¶

Keystone: TODO

Description¶

Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected.

Patches¶

https://review.openstack.org/#/c/86024 (Havana)
https://review.openstack.org/#/c/84735 (Icehouse)
https://review.openstack.org/#/c/84425 (Juno)

Credits¶

Abu Shohel Ahmed from Ericsson (CVE-2014-2828)

References¶

https://launchpad.net/bugs/1300274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2828

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.