2222270 – (CVE-2023-3637) CVE-2023-3637 openstack-neutron: unrestricted creation of security groups (fix for CVE-2022-3277)

Bug 2222270 (CVE-2023-3637) - CVE-2023-3637 openstack-neutron: unrestricted creation of security groups (fix for CVE-2022-3277)

Summary: CVE-2023-3637 openstack-neutron: unrestricted creation of security groups (fi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-3637
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2222271 2222272 2222273 2222274 2222275
Blocks:	2123777
TreeView+	depends on / blocked

Reported:	2023-07-12 13:51 UTC by Avinash Hanwate
Modified:	2023-08-09 21:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.
Clone Of:
Environment:
Last Closed:	2023-07-26 17:46:57 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:4283	0	None	None	None	2023-07-26 12:47:10 UTC

Description Avinash Hanwate 2023-07-12 13:51:25 UTC

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.

Comment 2 errata-xmlrpc 2023-07-26 12:47:08 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:4283 https://access.redhat.com/errata/RHSA-2023:4283

Comment 3 Product Security DevOps Team 2023-08-01 08:27:51 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-3637

Note You need to log in before you can comment on or make changes to this bug.