Your submission was sent successfully! Close

CVE-2014-8124

Published: 12 December 2014

OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.

Notes

AuthorNote
mdeslaur
the fix for CVE-2014-8124 introduced a regression, which is
fixed here:
https://review.openstack.org/#/c/142737/
seth-arnold
The python-django-openstack-auth regression fix is currently only
included in the wily package (2015-5-14) -- however, no one has complained
and testing hasn't demonstrated any problems.
horizon in precise does not appear to take the operations that auto-
instantiated django sessions in the newer releases; it looks safe.
Priority

Medium

Status

Package Release Status
horizon
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Not vulnerable
(see notes)
trusty Does not exist
(trusty was released [1:2014.1.4-0ubuntu2])
upstream
Released (2014.1.3-6)
utopic Not vulnerable
(1:2014.2.1-0ubuntu2)
vivid Not vulnerable
(1:2015.1~b1-0ubuntu1)
wily Not vulnerable
(1:2015.1~b1-0ubuntu1)
Patches:
upstream: https://review.openstack.org/140353 (kilo)
upstream: https://review.openstack.org/140358 (juno)
upstream: https://review.openstack.org/140356 (icehouse)

python-django-openstack-auth
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist
(trusty was not-affected [see notes])
upstream
Released (1.1.6-5)
utopic Not vulnerable
(see notes)
vivid Not vulnerable
(see notes)
wily Not vulnerable
(includes regression fix)
Patches:



upstream: https://review.openstack.org/140352