Apparently that bug lets you fill the DB much faster than expected. Thus we'll threat this as a class A.
The proposed patch apply cleanly on master and juno branch but it requires a bit of rework for Icehouse. Can someone provide a patch for Icehouse ?
Here is the proposed impact description #1. Note that I've considered all backends as vulnerable:
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2
Description:
Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By doing repeated requests to Horizon login page a remote attacker may generate unwanted session record resulting in a denial of service. All Horizon setups are affected.
Apparently that bug lets you fill the DB much faster than expected. Thus we'll threat this as a class A.
The proposed patch apply cleanly on master and juno branch but it requires a bit of rework for Icehouse. Can someone provide a patch for Icehouse ?
Here is the proposed impact description #1. Note that I've considered all backends as vulnerable:
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2
Description:
Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By doing repeated requests to Horizon login page a remote attacker may generate unwanted session record resulting in a denial of service. All Horizon setups are affected.