Bugzilla – Bug 908199
VUL-0: CVE-2014-8124: openstack-dashboard: Horizon denial of service attack through login page
Last modified: 2015-07-02 17:01:11 UTC
CRD: 2014-12-09 15:00 UTC This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Horizon denial of service attack through login page Reporter: Eric Peterson (Time Warner Cable) Products: Horizon Versions: up to 2014.1.3, and 2014.2 versions up to 2014.2.1 Description: Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/icehouse, stable/juno and master on the public disclosure date. Note that the django_openstack_auth Horizon dependency requires an additional patch to be applied. CVE: CVE-2014-8124 Proposed public disclosure date/time: 2014-12-09, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date.
Created attachment 615774 [details] cve-2014-8124-stable-icehouse.patch
Created attachment 615775 [details] cve-2014-8124-master-kilo.patch
Created attachment 615776 [details] cve-2014-8124-stable-juno.patch
Created attachment 615777 [details] cve-2014-8124-django_openstack_auth.patch
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-12-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59957
public
https://review.openstack.org/#/q/I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71,n,z https://bugs.launchpad.net/horizon/+bug/1394370
This is an autogenerated message for OBS integration: This bug (908199) was mentioned in https://build.opensuse.org/request/show/265000 13.1 / openstack-dashboard
updates submitted to Cloud3, Cloud4 and 13.1 . 13.2 and Factory do not have OpenStack and 12.3 has an OpenStack EOL version
SUSE-SU-2015:0015-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 908199 CVE References: CVE-2014-8124 Sources used: SUSE Cloud 4 (src): openstack-dashboard-2014.1.4.dev12.gfb429f4-0.7.1
released
openSUSE-SU-2015:0078-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 852175,869696,871855,885588,891815,908199 CVE References: CVE-2013-6858,CVE-2014-0157,CVE-2014-3473,CVE-2014-3474,CVE-2014-3475,CVE-2014-3594,CVE-2014-8124 Sources used: openSUSE 13.1 (src): openstack-dashboard-2013.2.5.dev2.g9ee7273-4.1, python-django_openstack_auth-1.1.3-4.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-06-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61888