Bug 1169637 – CVE-2014-8124 python-django-horizon: denial of service via login page requests

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1169637 - (CVE-2014-8124) CVE-2014-8124 python-django-horizon: denial of service via login page requests

Summary:	CVE-2014-8124 python-django-horizon: denial of service via login page requests

Status:	CLOSED ERRATA

Aliases:	CVE-2014-8124

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20141209,repor...
Keywords:	Security

Depends On:	1170421 1174066 1174067 1174080 1174081 1174082 1174083 1174085
Blocks:	1169638
	Show dependency tree / graph

Reported:	2014-12-02 00:31 EST by Murray McAllister
Modified:	2016-04-26 16:08 EDT (History)
CC List:	18 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-04-19 23:33:24 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
cve-2014-8124-django_openstack_auth.patch (960 bytes, patch) 2014-12-03 19:22 EST, Kurt Seifried	no flags	Details \| Diff
cve-2014-8124-master-kilo.patch (2.60 KB, patch) 2014-12-03 19:22 EST, Kurt Seifried	no flags	Details \| Diff
cve-2014-8124-stable-icehouse.patch (2.40 KB, patch) 2014-12-03 19:23 EST, Kurt Seifried	no flags	Details \| Diff
cve-2014-8124-stable-juno.patch (2.60 KB, patch) 2014-12-03 19:23 EST, Kurt Seifried	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Launchpad	1394370	None	None	None	Never
Red Hat Product Errata	RHSA-2015:0839	normal	SHIPPED_LIVE	Moderate: python-django-horizon and python-django-openstack-auth update	2015-04-16 15:08:45 EDT
Red Hat Product Errata	RHSA-2015:0845	normal	SHIPPED_LIVE	Moderate: python-django-horizon and python-django-openstack-auth update	2015-04-16 14:27:28 EDT

Groups: None (edit)

Description Murray McAllister 2014-12-02 00:31:47 EST

The OpenStack project reports:

""
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3, and 2014.2 versions up to 2014.2.1

Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.
""

Comment 2 Kurt Seifried 2014-12-03 19:22:26 EST

Created attachment 964402 [details]
cve-2014-8124-django_openstack_auth.patch

Comment 3 Kurt Seifried 2014-12-03 19:22:44 EST

Created attachment 964403 [details]
cve-2014-8124-master-kilo.patch

Comment 4 Kurt Seifried 2014-12-03 19:23:03 EST

Created attachment 964404 [details]
cve-2014-8124-stable-icehouse.patch

Comment 5 Kurt Seifried 2014-12-03 19:23:23 EST

Created attachment 964405 [details]
cve-2014-8124-stable-juno.patch

Comment 7 Kurt Seifried 2014-12-03 20:57:28 EST

Acknowledgement:

Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Eric Peterson from Time Warner Cable as the original reporter.

Comment 13 Murray McAllister 2014-12-14 22:40:33 EST

Public now:

http://www.openwall.com/lists/oss-security/2014/12/09/23

Comment 14 Murray McAllister 2014-12-14 22:45:35 EST

Created python-django-horizon tracking bugs for this issue:

Affects: fedora-all [bug 1174066]
Affects: openstack-rdo [bug 1174067]

Comment 20 Fedora Update System 2015-01-05 02:40:53 EST

python-django-horizon-2014.1.3-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 errata-xmlrpc 2015-04-16 10:32:18 EDT

This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0845 https://rhn.redhat.com/errata/RHSA-2015-0845.html

Comment 22 errata-xmlrpc 2015-04-16 11:09:53 EDT

This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0839 https://rhn.redhat.com/errata/RHSA-2015-0839.html

Note You need to log in before you can comment on or make changes to this bug.