← Back to team overview

openstack team mailing list archive

[OSSA 2012-003] Long server names grow nova-api log files significantly (CVE-2012-1585)

 

OpenStack Security Advisory: 2012-003
CVE: CVE-2012-1585
Date: March 29, 2012
Title: Long server names grow nova-api log files significantly
Impact: High
Reporter: Dan Prince <dprince@xxxxxxxxxx>
Products: Nova
Affects: All versions

Description:
Dan Prince reported a vulnerability in OpenStack Compute (Nova) API
servers. By PUTing or POSTing extremely long server names to the
OpenStack API, any authenticated user may grow nova-api log files
significantly, potentially resulting in disk space exhaustion and denial
of service to the affected nova-api nodes. Only setups running the
OpenStack API are affected.

Fixes:
Essex:
https://github.com/openstack/nova/commit/c7f526fae6062e9ab51f65474af71d496aa66554
2011.3: https://review.openstack.org/#change,5956

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1585
https://bugs.launchpad.net/nova/+bug/962515

Notes:
This fix will be included in the Essex rc2 development milestone and in
a future Diablo release.

-- 
Russell Bryant
OpenStack Vulnerability Management Team