GHSA-9jxq-5x44-gx23
Keylime registrar is vulnerable to Denial-of-Service attack when updated to version 7.12.0
Details
### Impact The Keylime `registrar` implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the `registrar` will not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception.
This makes the Keylime `registrar` vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the `registrar` database by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylime `registrar` is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure.
### Patches Users should upgrade to versions >= 7.12.1
### Workarounds - Remove the registrar database and re-register all agents
### Credit
Reported by: Anderson Toshiyuki Sasaki/@ansasaki Patched by: Anderson Toshiyuki Sasaki/@ansasaki
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/keylime/keylime/security/advisories/GHSA-9jxq-5x44-gx23 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-1057 [ADVISORY]
- https://github.com/keylime/keylime/commit/e08b10d86c3717006774e787542c190e2ba24fc7 [WEB]
- https://access.redhat.com/security/cve/CVE-2025-1057 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2343894 [WEB]
- https://github.com/keylime/keylime [PACKAGE]