OSSA-2014-040: Horizon denial of service attack through login page

OSSA-2014-040: Horizon denial of service attack through login page

Date:December 09, 2014
CVE:CVE-2014-8124

Affects

  • Horizon: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description

Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected.

Credits

  • Eric Peterson from Time Warner Cable (CVE-2014-8124)

Notes

  • This fix will be included in future 2014.1.3 and 2014.2.1 releases.
  • The django_openstack_auth Horizon dependency requires the additional patch above.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.