Security Bulletin: IBM SmartCloud Orchestrator - Keystone DoS through V3 API authentication chaining (CVE-2014-2828)

Summary

By sending a single request with the same authentication method multiple times, a remote attacker might generate unwanted load on the Keystone host, which might potentially result in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected.

Vulnerability Details

CVE ID:***CVE-2014-282__8

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92404&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Decription:
OpenStack Keystone is vulnerable to a denial of service, which is caused by an error in the V3 API authentication. By sending a specially crafted request with the same authentication method, a remote attacker might exploit this vulnerability to consume all available resources.

Affected Products and Versions

SmartCloud Orchestrator 2.3 and 2.3 Fix Pack 1

Remediation/Fixes

The recommended solution is to apply the fix as soon as practical. Upgrade to IBM SmartCloud Orchestrator 2.3 Fix Pack 1 Interim Fix 4.

Workarounds and Mitigations

None