[OSSA-2021-006] Neutron: Routes middleware memory leak for nonexistent controllers (CVE-2021-40797)

Jeremy Stanley fungi at yuggoth.org
Thu Sep 9 14:04:36 UTC 2021

OSSA-2021-006: Routes middleware memory leak for nonexistent controllers

:Date: September 09, 2021
:CVE: CVE-2021-40797

- Neutron: <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1

Slawek Kaplonski with Red Hat reported a vulnerability in Neutron's
routes middleware. By making API requests involving nonexistent
controllers, an authenticated user may cause the API worker to
consume increasing amounts of memory, resulting in API performance
degradation or denial of service. All Neutron deployments are

- https://review.opendev.org/807638 (Queens)
- https://review.opendev.org/807637 (Rocky)
- https://review.opendev.org/807636 (Stein)
- https://review.opendev.org/807635 (Train)
- https://review.opendev.org/807634 (Ussuri)
- https://review.opendev.org/807633 (Victoria)
- https://review.opendev.org/807632 (Wallaby)
- https://review.opendev.org/807335 (Xena)

- Slawek Kaplonski from Red Hat (CVE-2021-40797)

- https://launchpad.net/bugs/1942179
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797

- The stable/train, stable/stein, stable/rocky, and stable/queens
  branches are under extended maintenance and will receive no new
  point releases, but patches for them are provided as a courtesy.

Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210909/b1eb9210/attachment.sig>

More information about the openstack-discuss mailing list