The OpenStack project reports: "" Title: Horizon denial of service attack through login page Reporter: Eric Peterson (Time Warner Cable) Products: Horizon Versions: up to 2014.1.3, and 2014.2 versions up to 2014.2.1 Description: Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected. ""
Created attachment 964402 [details] cve-2014-8124-django_openstack_auth.patch
Created attachment 964403 [details] cve-2014-8124-master-kilo.patch
Created attachment 964404 [details] cve-2014-8124-stable-icehouse.patch
Created attachment 964405 [details] cve-2014-8124-stable-juno.patch
Acknowledgement: Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Eric Peterson from Time Warner Cable as the original reporter.
Public now: http://www.openwall.com/lists/oss-security/2014/12/09/23
Created python-django-horizon tracking bugs for this issue: Affects: fedora-all [bug 1174066] Affects: openstack-rdo [bug 1174067]
python-django-horizon-2014.1.3-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2015:0845 https://rhn.redhat.com/errata/RHSA-2015-0845.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2015:0839 https://rhn.redhat.com/errata/RHSA-2015-0839.html