Denial of Service in OpenStack Identity V3 API by Large Request Load
CVE-2014-2828

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 15 April 2014

Summary

The V3 API in OpenStack Identity (Keystone) versions prior to 2013.2.4 and Icehouse releases before icehouse-rc2 is susceptible to a denial of service attack. Remote attackers can exploit this vulnerability by issuing a large volume of requests using the same authentication method, overwhelming the system and leading to excessive CPU consumption. This behavior, known as 'authentication chaining,' can disrupt service availability, thereby impacting users and organizations relying on OpenStack for their infrastructure.

References

http://rhn.redhat.com/errata/RHSA-2014-1688.html

vendor-advisoryx_refsource_REDHAT

http://www.openwall.com/lists/oss-security/2014/04/10/20

mailing-listx_refsource_MLIST

https://bugs.launchpad.net/keystone/+bug/1300274

x_refsource_CONFIRM

Timeline

Vulnerability published
Apr 15, 2014
Vulnerability Reserved
Apr 10, 2014