Comment 26 for bug 1227575

I would slightly reword the "Summary" section to be a bit more clear. I'd suggest something like this:

-------------
There is currently no limitation on the number of VNC sessions that can be established for a single user's VNC token. This enables one to cause a Denial of Service (DoS) style attack by establishing many VNC sessions against a single instance through a noVNC proxy. This can cause timeouts for other users who are trying to access the same instance through VNC.
-------------

In the "Discussion" section, I don't think the first sentence is needed ("NoVNC Proxy is explained here"). There are also some areas where I would suggest slight rewording:

-------------
Once a user gets a token to access an instance's VNC console, there is no restriction on the frequency that the user can attempt to connect to the instance's VNC console using that token. There is also no restriction on the number of simultaneous VNC sessions that the user can establish against the instance using a single token. If many connection requests are made, any subsequent connection requests made by other users may time out. This could also impact other user's currently established VNC sessions to the instance. The overall responsiveness of other Nova services running on the noVNC host.

By taking advantage of the lack of any VNC connection limiting, a single user could cause the noVNC proxy endpoint to be non-responsive or unreachable. This results in a DoS attack. It should be noted that there is no amplification effect.
-------------

I think the OSSN needs to mention Havana as well. It currently only indicates that Grizzly is affected in the "Affected Services" and "Recommended Actions" sections.

You have a few spots that use "NoVNC" or "novnc". These should be "noVNC".

In the "Recommended Actions" section, you start to make a reference to some best practices but there is no reference. Were you intending to refer to the Security Guide?