Bug 1169637 (CVE-2014-8124) - CVE-2014-8124 python-django-horizon: denial of service via login page requests
Summary: CVE-2014-8124 python-django-horizon: denial of service via login page requests
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8124
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1170421 1174066 1174067 1174080 1174081 1174082 1174083 1174085
Blocks: 1169638
TreeView+ depends on / blocked
 
Reported: 2014-12-02 05:31 UTC by Murray McAllister
Modified: 2023-05-12 22:30 UTC (History)
18 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-04-20 03:33:24 UTC
Embargoed:

Attachments (Terms of Use)
cve-2014-8124-django_openstack_auth.patch (960 bytes, patch)
2014-12-04 00:22 UTC, Kurt Seifried 		no flags Details | Diff
cve-2014-8124-master-kilo.patch (2.60 KB, patch)
2014-12-04 00:22 UTC, Kurt Seifried 		no flags Details | Diff
cve-2014-8124-stable-icehouse.patch (2.40 KB, patch)
2014-12-04 00:23 UTC, Kurt Seifried 		no flags Details | Diff
cve-2014-8124-stable-juno.patch (2.60 KB, patch)
2014-12-04 00:23 UTC, Kurt Seifried 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1394370 0 None None None Never
Red Hat Product Errata RHSA-2015:0839 0 normal SHIPPED_LIVE Moderate: python-django-horizon and python-django-openstack-auth update 2015-04-16 19:08:45 UTC
Red Hat Product Errata RHSA-2015:0845 0 normal SHIPPED_LIVE Moderate: python-django-horizon and python-django-openstack-auth update 2015-04-16 18:27:28 UTC

Description Murray McAllister 2014-12-02 05:31:47 UTC 
The OpenStack project reports:

""
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3, and 2014.2 versions up to 2014.2.1

Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.
""
Comment 2 Kurt Seifried 2014-12-04 00:22:26 UTC 
Created attachment 964402 [details]
cve-2014-8124-django_openstack_auth.patch
Comment 3 Kurt Seifried 2014-12-04 00:22:44 UTC 
Created attachment 964403 [details]
cve-2014-8124-master-kilo.patch
Comment 4 Kurt Seifried 2014-12-04 00:23:03 UTC 
Created attachment 964404 [details]
cve-2014-8124-stable-icehouse.patch
Comment 5 Kurt Seifried 2014-12-04 00:23:23 UTC 
Created attachment 964405 [details]
cve-2014-8124-stable-juno.patch
Comment 7 Kurt Seifried 2014-12-04 01:57:28 UTC 
Acknowledgement:

Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Eric Peterson from Time Warner Cable as the original reporter.
Comment 13 Murray McAllister 2014-12-15 03:40:33 UTC 
Public now:

http://www.openwall.com/lists/oss-security/2014/12/09/23
Comment 14 Murray McAllister 2014-12-15 03:45:35 UTC 
Created python-django-horizon tracking bugs for this issue:

Affects: fedora-all [bug 1174066]
Affects: openstack-rdo [bug 1174067]
Comment 20 Fedora Update System 2015-01-05 07:40:53 UTC 
python-django-horizon-2014.1.3-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 errata-xmlrpc 2015-04-16 14:32:18 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0845 https://rhn.redhat.com/errata/RHSA-2015-0845.html
Comment 22 errata-xmlrpc 2015-04-16 15:09:53 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0839 https://rhn.redhat.com/errata/RHSA-2015-0839.html
Note You need to log in before you can comment on or make changes to this bug.