The following was reported to the oss-security list: Title: Keystone DoS through V3 API authentication chaining Reporter: Abu Shohel Ahmed (Ericsson) Products: Keystone Versions: from 2013.1 to 2013.2.3 Description: Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected. References: https://launchpad.net/bugs/1300274 http://seclists.org/oss-sec/2014/q2/65 https://review.openstack.org/#/c/86024/ https://git.openstack.org/cgit/openstack/keystone/commit/?id=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1086212] Affects: epel-6 [bug 1086213]
MITRE assigned CVE-2014-2828 to this issue: http://seclists.org/oss-sec/2014/q2/88
openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue.
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html