OpenStack Security Advisory: 2012-003 CVE: CVE-2012-1585 Date: March 29, 2012 Title: Long server names grow nova-api log files significantly Impact: High Reporter: Dan Prince <dprince at redhat.com> Products: Nova Affects: All versions Description: Dan Prince reported a vulnerability in OpenStack Compute (Nova) API servers. By PUTing or POSTing extremely long server names to the OpenStack API, any authenticated user may grow nova-api log files significantly, potentially resulting in disk space exhaustion and denial of service to the affected nova-api nodes. Only setups running the OpenStack API are affected. Fixes: Essex: https://github.com/openstack/nova/commit/c7f526fae6062e9ab51f65474af71d496aa66554 2011.3: https://review.openstack.org/#change,5956 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1585 https://bugs.launchpad.net/nova/+bug/962515 Notes: This fix will be included in the Essex rc2 development milestone and in a future Diablo release. -- Russell Bryant OpenStack Vulnerability Management Team