[OSSA 2014-040] horizon login page is vulnerable to DOS attack (CVE-2014-8124)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Eric Peterson | ||
Icehouse |
Fix Released
|
Undecided
|
Lin Hua Cheng | ||
Juno |
Fix Released
|
Undecided
|
Tristan Cacqueray | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
We have horizon deployed with mysql sessions. I believe this issue exists with all db backed sessions, and likely memchached too (but I am not sure).
Every request to the login page is generating a new session record in the db. This is based upon this line of code:
https:/
What happens is as soon as you access request.
I have placed some debugging code in a variety of locations where we are accessing the session store before we should be, which creates these records:
https:/
The check for the timeout should never occur if there is no authenticated user. So the check a few lines below needs to be moved higher.
https:/
This check I am not sure how to work around. We are accessing the session, which creates records, just trying to keep track if a user is logged in or not. It seems like we are not using the django auth mechanisms correctly here, and I can't see if there is a workaround.
CVE References
Changed in ossa: | |
status: | New → Incomplete |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
summary: |
- horizon login page is vulnerable to DOS attack + horizon login page is vulnerable to DOS attack (CVE-2014-8124) |
Changed in horizon: | |
status: | Confirmed → Triaged |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- horizon login page is vulnerable to DOS attack (CVE-2014-8124) + [OSSA 2014-040] horizon login page is vulnerable to DOS attack + (CVE-2014-8124) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | none → kilo-1 |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | kilo-1 → 2015.1.0 |
https:/ /github. com/openstack/ horizon/ blob/master/ openstack_ dashboard/ views.py# L45
Also contributes to this issue.