CVE-2014-8124
Published: 12 December 2014
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.
Notes
| Author | Note |
|---|---|
| mdeslaur | the fix for CVE-2014-8124 introduced a regression, which is fixed here: https://review.openstack.org/#/c/142737/ |
| seth-arnold | The python-django-openstack-auth regression fix is currently only included in the wily package (2015-5-14) -- however, no one has complained and testing hasn't demonstrated any problems. horizon in precise does not appear to take the operations that auto- instantiated django sessions in the newer releases; it looks safe. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
horizon Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Not vulnerable
(see notes)
|
|
| trusty |
Released
(1:2014.1.4-0ubuntu2)
|
|
| upstream |
Released
(2014.1.3-6)
|
|
| utopic |
Not vulnerable
(1:2014.2.1-0ubuntu2)
|
|
| vivid |
Not vulnerable
(1:2015.1~b1-0ubuntu1)
|
|
|
Patches: upstream: https://review.openstack.org/140353 upstream: https://review.openstack.org/140358 upstream: https://review.openstack.org/140356 |
||
|
python-django-openstack-auth Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
(trusty was not-affected [see notes])
|
|
| upstream |
Released
(1.1.6-5)
|
|
| utopic |
Not vulnerable
(see notes)
|
|
| vivid |
Not vulnerable
(see notes)
|
|
|
Patches: upstream: https://review.openstack.org/140352 |
||