[Openstack] [OSSA 2012-009] Scheduler denial of service through scheduler_hints (CVE-2012-3371)

Thierry Carrez thierry at openstack.org
Wed Jul 11 16:43:07 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2012-009
CVE: CVE-2012-3371
Date: July 11, 2012
Title: Scheduler denial of service through scheduler_hints
Impact: Medium
Reporter: Dan Prince (Red Hat)
Products: Nova
Affects: Essex, Folsom series

Description:
Dan Prince from Red Hat reported a vulnerability in Nova scheduler
nodes. By creating servers with malicious scheduler_hints, an
authenticated user may generate a huge amount of database calls,
potentially resulting in a Denial of Service attack against Nova
scheduler nodes. Only setups exposing the OpenStack API and enabling
DifferentHostFilter and/or SameHostFilter are affected.

Fixes:
Folsom:
https://github.com/openstack/nova/commit/034762e8060dcf0a11cb039b9d426b0d0bb1801d
Essex:
https://github.com/openstack/nova/commit/25f5bd31805bd21d7b7e3583c775252aa8f737e9

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3371
https://bugs.launchpad.net/nova/+bug/1017795

Notes:
This fix will be included in the folsom-3 development milestone
(published next month) and in future Essex releases.

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJP/a0VAAoJEFB6+JAlsQQjRdIP/3jbLZFlixAbH6IXGlcXPnDj
CFPTKo+cCbKjRWarbY738O17M4mYrFRnSq+o6tsQ4+YAgHtEtsSsAhimJ49y1H6G
uQo8KURudVEiZ/ues2GJl4fQuEhRHCBaBhvCqIkhlY3s3OnvCzLGVWTQs48y8SdY
7o4PyV7zwMugidiugEwW3DxtzOQyPNrt0y5KuWem1QTc+ODSPRyfxEp0FpPoZ6Hj
t6C+E3mZ1FNO119W+IjhhSJjEiyeg0pEZeCeqQaapoSRbwZXiCo/qPOuE9KQD2oW
jgnZ21HmMAQC5YsOLwuRL6/1Ht/Yl/TBF0oVRPTh9T7+Lfzp2y1dXwVlmwOzjnVO
3nWA5l9Kuk7lOOjsQCzxCVSH92QyBfR+9XdDzRqDZzBF+tpq/5rI7qCzcpz+4RMM
UH+6tvdB0Nye/eH0m8RP0HcxTEpM+1uPP/YDVWcP3IB9tLG9YAT6ZfGYf95N12kS
tyqxklt952vgTEHqXqkW4as2bx0E8oigHRzGEWCCmtaMGs1QmM70p0Q1rC/QNyOp
ZX63yj9eldl7wn9VUV03Ixe29qWrPLrpLg4gYEu4V53II0+9vmzHMTzWrQR4/HGw
jgnwu4/OPEvpiN67fOUWLa6ZbX4XxBomwCD+CzJUblcWT19ukJKCrFLLYYq5m+PQ
OZnFoLBQnTXPwWi+URXo
=pIZB
-----END PGP SIGNATURE-----




More information about the Openstack mailing list