A flaw was found in openstack-neutron <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service. References: https://launchpad.net/bugs/1942179 https://security.openstack.org/ossa/OSSA-2021-006.html http://www.openwall.com/lists/oss-security/2021/09/09/2
Upstream patches: https://review.opendev.org/807638 (Queens) https://review.opendev.org/807637 (Rocky) https://review.opendev.org/807636 (Stein) https://review.opendev.org/807635 (Train) https://review.opendev.org/807634 (Ussuri) https://review.opendev.org/807633 (Victoria) https://review.opendev.org/807632 (Wallaby) https://review.opendev.org/807335 (Xena)
Created openstack-neutron tracking bugs for this issue: Affects: openstack-rdo [bug 2004296]
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0996 https://access.redhat.com/errata/RHSA-2022:0996
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:0990 https://access.redhat.com/errata/RHSA-2022:0990
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40797