Bugzilla – Bug 1190339
VUL-0: CVE-2021-40797: openstack-neutron: routes middleware memory leak for nonexistent controllers
Last modified: 2024-05-29 12:12:04 UTC
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797 https://launchpad.net/bugs/1942179
Affected packages: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/openstack-neutron 11.0.9~dev69 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/openstack-neutron 13.0.8~dev164 Upstream patch: https://opendev.org/openstack/neutron/commit/e610a5eb9e71aa2549fb11e2139370d227787da2
Patch is upstream in stable/rocky and currently on its way through Cloud 9 CI. I'll look into creating a backport for stable/pike (if needed at all).
Patch for stable/pike was needed indeed. Here's the request for the stable/pike package: https://build.opensuse.org/request/show/918975
SUSE-SU-2022:1884-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1189794,1190339 CVE References: CVE-2021-40085,CVE-2021-40797 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): openstack-neutron-11.0.9~dev69-3.43.1, openstack-neutron-doc-11.0.9~dev69-3.43.1 SUSE OpenStack Cloud 8 (src): openstack-neutron-11.0.9~dev69-3.43.1, openstack-neutron-doc-11.0.9~dev69-3.43.1 HPE Helion Openstack 8 (src): openstack-neutron-11.0.9~dev69-3.43.1, openstack-neutron-doc-11.0.9~dev69-3.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.