Jeremy Stanley (jeremy) reports: Title: Denial of Service in Nova network source security groups Reporter: Vishvananda Ishaya (Nebula) Products: Nova Affects: All versions Vishvananda Ishaya from Nebula reported a denial of service vulnerability in Nova's handling of network source security group policy updates. By performing a large number of server creation operations, the proportion of updates increases quadratically and may overwhelm nova-network such that it is no longer able to service other requests in a timely fashion. Only setups relying on nova-network are affected. Havana (development branch) fix: https://review.openstack.org/39541 Grizzly fix: https://review.openstack.org/39543 Folsom fix: https://review.openstack.org/39544 Notes: This fix will be included in the 2013.2.b3 development milestone and in a future 2013.1.3 release.
This is now public: http://seclists.org/oss-sec/2013/q3/282
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 994816] Affects: epel-6 [bug 994817]
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Vishvananda Ishaya from Nebula as the original reporter.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1199 https://rhn.redhat.com/errata/RHSA-2013-1199.html