A vulnerability was found in IPA, where by sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
Acknowledgments: Name: Pritam Singh (Red Hat)
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1823621]
Link FreeIPA issue 8268 here: https://pagure.io/freeipa/issue/8268 FreeIPA team agrees with Red Hat Security Response Team assessment that this is a low severity, low priority issue. The fix will be merged into FreeIPA upstream but no separate release will be done.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3936 https://access.redhat.com/errata/RHSA-2020:3936
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1722
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4670 https://access.redhat.com/errata/RHSA-2020:4670