A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.
DescriptionMurray McAllister
2014-12-02 05:31:47 UTC
The OpenStack project reports:
""
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3, and 2014.2 versions up to 2014.2.1
Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.
""
Acknowledgement:
Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Eric Peterson from Time Warner Cable as the original reporter.
Comment 13Murray McAllister
2014-12-15 03:40:33 UTC
Comment 14Murray McAllister
2014-12-15 03:45:35 UTC
Created python-django-horizon tracking bugs for this issue:
Affects: fedora-all [bug 1174066]
Affects: openstack-rdo [bug 1174067]
Comment 20Fedora Update System
2015-01-05 07:40:53 UTC
python-django-horizon-2014.1.3-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.