OSSA-2012-002: Extremely long passwords can crash Keystone

Date:March 27, 2012
CVE:CVE-2012-1572

Affects

  • Keystone: All versions

Description

Dan Prince reported a vulnerability in Keystone. He discovered that you can remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonablelimit on password length (4 kB).

Credits

  • Dan Prince from Red Hat (CVE-2012-1572)

Table Of Contents

Previous topic

OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API

Next topic

OSSA-2012-003: Long server names grow nova-api log files significantly

This Page

Navigation

© Copyright 2018, OpenStack Vulnerability Management Team. Freely licensed under CC BY 3.0. Propose changes to the ossa git repo. Last updated on 'Sun Sep 9 15:21:37 2018, commit 1a614a5'. Created using Sphinx 1.2.3.