Bug 2003248 (CVE-2021-40797)
Summary: | CVE-2021-40797 openstack-neutron: Routes middleware memory leak for nonexistent controllers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, bibryam, chazlett, chrisw, dalvarez, dbecker, drieden, ggaughan, hbraun, janstey, jjoyce, jochrist, jschluet, lhh, lpeer, mburns, pantinor, rhos-maint, sclewis, scohen, slinaber, srevivo |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | neutron 16.4.1, neutron 17.2.1, neutron 18.1.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A resource-allocation flaw was found in openstack-neutron. An authenticated attacker could make API requests involving nonexistent controllers causing the API worker to consume increasing amounts of memory. This flaw could be exploited to force API performance degradation or denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-24 13:45:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2004296, 2004297, 2004298 | ||
Bug Blocks: | 2003249 |
Description
Pedro Sampaio
2021-09-10 19:09:47 UTC
Upstream patches: https://review.opendev.org/807638 (Queens) https://review.opendev.org/807637 (Rocky) https://review.opendev.org/807636 (Stein) https://review.opendev.org/807635 (Train) https://review.opendev.org/807634 (Ussuri) https://review.opendev.org/807633 (Victoria) https://review.opendev.org/807632 (Wallaby) https://review.opendev.org/807335 (Xena) Created openstack-neutron tracking bugs for this issue: Affects: openstack-rdo [bug 2004296] This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0996 https://access.redhat.com/errata/RHSA-2022:0996 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:0990 https://access.redhat.com/errata/RHSA-2022:0990 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40797 |