OSSA-2014-040: Horizon denial of service attack through login page¶

Date:: December 09, 2014
CVE:: CVE-2014-8124

Affects¶

Horizon: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description¶

Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected.

Patches¶

https://review.openstack.org/140352 (Django_openstack_auth)
https://review.openstack.org/140356 (Icehouse)
https://review.openstack.org/140358 (Juno)
https://review.openstack.org/140353 (Kilo)

Credits¶

Eric Peterson from Time Warner Cable (CVE-2014-8124)

References¶

https://launchpad.net/bugs/1394370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124

Notes¶

This fix will be included in future 2014.1.3 and 2014.2.1 releases.
The django_openstack_auth Horizon dependency requires the additional patch above.

OSSA-2014-040: Horizon denial of service attack through login page