Bug 1086211 (CVE-2014-2828)
Summary: | CVE-2014-2828 openstack-keystone: denial of service via V3 API authentication chaining | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | Udi Kalifon <ukalifon> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, aortega, apevec, apevec, ayoung, bfilippov, breu, chazlett, chrisw, d.busby, gkotton, gmollett, itamar, Jan.van.Eldik, jonathansteffan, jose.castro.leon, jrusnack, lhh, markmc, p, rbryant, rhos-maint, sclewis, ukalifon, vdanen, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-22 20:08:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1086212, 1086213, 1086214, 1150354 | ||
Bug Blocks: | 1086216, 1150355 |
Description
Murray McAllister
2014-04-10 11:30:18 UTC
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1086212] Affects: epel-6 [bug 1086213] MITRE assigned CVE-2014-2828 to this issue: http://seclists.org/oss-sec/2014/q2/88 openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. IssueDescription: A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue. This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html |