Bug 769399 (CVE-2012-3371) - VUL-0: CVE-2012-3371: openstack-nova: Scheduler denial of service through scheduler_hints
Summary: VUL-0: CVE-2012-3371: openstack-nova: Scheduler denial of service through sch...
Status: RESOLVED FIXED
Alias: CVE-2012-3371
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Sascha Peilicke
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-29 12:33 UTC by Ludwig Nussel
Modified: 2021-08-11 09:36 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
essex.diff (1.92 KB, patch)
2012-06-29 12:35 UTC, Ludwig Nussel 		Details | Diff
folsom.diff (1.81 KB, patch)
2012-06-29 12:35 UTC, Ludwig Nussel 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2012-06-29 12:33:23 UTC 
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

------------------------------------------------------------------------------
Date: Fri, 29 Jun 2012 14:14:12 +0200
From: Thierry Carrez <thierry@openstack.org>
Subject: [vs-plain] Vulnerability in OpenStack Nova

Title: Scheduler denial of service through scheduler_hints
Impact: Medium
Reporter: Dan Prince (Red Hat)
Products: Nova
Affects: Essex, Folsom series

Description:
Dan Prince from Red Hat reported a vulnerability in Nova scheduler
nodes. By creating servers with malicious scheduler_hints, an
authenticated user may generate a huge amount of database calls,
potentially resulting in a Denial of Service attack against Nova
scheduler nodes. Only setups exposing the OpenStack API and enabling
DifferentHostFilter and/or SameHostFilter are affected.

Proposed patches:
See attached diffs for current development tree (Folsom), and the Essex
backport of it. Unless a flaw is discovered in them, these proposed
patches will be merged to Nova master and stable/essex branches on
public disclosure date.
Comment 2 Ludwig Nussel 2012-06-29 12:35:36 UTC 
Created attachment 496939 [details]
essex.diff
Comment 3 Ludwig Nussel 2012-06-29 12:35:56 UTC 
Created attachment 496940 [details]
folsom.diff
Comment 4 Sascha Peilicke 2012-06-29 13:35:08 UTC 
Added the proposed patch to Devel:Cloud / openstack-nova
Comment 6 Swamp Workflow Management 2012-06-29 22:00:14 UTC 
bugbot adjusting priority
Comment 7 Sebastian Krahmer 2012-07-02 07:11:37 UTC 
CRD changed to July 11th.
Comment 8 Sebastian Krahmer 2012-07-02 07:12:12 UTC 
CVE-2012-3371
Comment 10 Sascha Peilicke 2012-07-02 08:15:46 UTC 
Done
Comment 11 Sascha Peilicke 2012-07-09 07:54:34 UTC 
Ok, now that Beta2 is released, I re-added the patch to openstack-nova. As we don't do maintenance for Beta2, I assume this can be closed?