### Discussion ###
The BREACH attack may be used to compromise Django's CSRF protection. OpenStack's Horizon web dashboard is build on the Django framework and consequently affected. There is no Horizon patch but there are protection options.
BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS.
Configure Horizon to mitigate BREACH/CRIME attacks
-----
### Summary ###
In it's default configuration Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks.
### Affected Services / Software ###
Horizon, Django, Apache, NGinx,
### Discussion ###
The BREACH attack may be used to compromise Django's CSRF protection. OpenStack's Horizon web dashboard is build on the Django framework and consequently affected. There is no Horizon patch but there are protection options.
BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS.
### Recommended Actions ### /docs.djangopro ject.com/ en/dev/ ref/middleware/ #module- django. middleware. gzip
Disable Django's GZIP Middleware https:/
Disable GZip compression in your web server's config:
Apache: Disable mod_deflate - http:// httpd.apache. org/docs/ 2.2/mod/ mod_deflate. html wiki.nginx. org/HttpGzipMod ule
Nginx: Disable the gzip module - http://
### Contacts / References ### /bugs.launchpad .net/ossn/ +bug/1209250 /www.djangoproj ect.com/ weblog/ 2013/aug/ 06/breach- and-django/ breachattack. com/ /launchpad. net/~openstack- ossg
This OSSN : https:/
Django advice on BREACH : https:/
More info on BREACH : http://
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https:/