Open Stack

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

Given this was purported to gave been fixed in master by
https://review.openstack.org/365653 prior to the Newton release and it
in turn claims to be fixing bug 1607381 (which itself makes mention of
an infinite loop bug 1606844 which is also questioned as a possible dupe
for bug 1605546, bug 1533441, bug 1533457 and bug 1605546, some of which
are still open), it's not entirely clear to me the degree to which this
has been solved so some summary from neutron-coresec reviewers would be
particularly appreciated.

That aside, "denial of service" conditions arising from unconstrained
resource consumption by authenticated users is a grey area we struggle
with classifying. At some point, operators must have a means of
identifying abuse by their users, locking them out and cleaning up the
mess. In a "typical" production deployment servicing potentially risky
users, how quickly can an abuser "fill up" your logs doing this? Will
your monitoring system alert operations to the increase in activity and
disk utilization in reasonable time for them to take mitigating action?
Are deployments likely to include rate-limiting proxies which further
throttle problem API calls such as these?

In most cases, we triage such reports as security hardening
opportunities (class D in our taxonomy: https://security.openstack.org
/vmt-process.html#incident-report-taxonomy ) and since this report is
already public there's no harm in doing that for now while entertaining
further discussion on whether it should be reclassed and any potential
advisory issued.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1668410

Title:
  Infinite loop trying to delete deleted HA router

Status in neutron:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Latest Mitaka code, L3 HA
  After running rally create_and_delete_routers (concurrency 100 and times 100, or more) neutron l3 agent logs on nodes filled (every .003 second timestamp) with such traces:
  http://paste.openstack.org/show/599851/
  which causes cluster fall when log partition will filled up.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1668410/+subscriptions