========================================================================
OSSA-2021-006: Routes middleware memory leak for nonexistent controllers
========================================================================
:Date: September 09, 2021
:CVE: CVE-2021-40797
Affects
~~~~~~~
- Neutron: <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1
Description
~~~~~~~~~~~
Slawek Kaplonski with Red Hat reported a vulnerability in Neutron's
routes middleware. By making API requests involving nonexistent
controllers, an authenticated user may cause the API worker to
consume increasing amounts of memory, resulting in API performance
degradation or denial of service. All Neutron deployments are
affected.
Patches
~~~~~~~
- https://review.opendev.org/807638 (Queens)
- https://review.opendev.org/807637 (Rocky)
- https://review.opendev.org/807636 (Stein)
- https://review.opendev.org/807635 (Train)
- https://review.opendev.org/807634 (Ussuri)
- https://review.opendev.org/807633 (Victoria)
- https://review.opendev.org/807632 (Wallaby)
- https://review.opendev.org/807335 (Xena)
Credits
~~~~~~~
- Slawek Kaplonski from Red Hat (CVE-2021-40797)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1942179
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797
Notes
~~~~~
- The stable/train, stable/stein, stable/rocky, and stable/queens
branches are under extended maintenance and will receive no new
point releases, but patches for them are provided as a courtesy.
--
Jeremy Stanley
OSSA-2021-006: Routes middleware memory leak for nonexistent controllers
========================================================================
:Date: September 09, 2021
:CVE: CVE-2021-40797
Affects
~~~~~~~
- Neutron: <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1
Description
~~~~~~~~~~~
Slawek Kaplonski with Red Hat reported a vulnerability in Neutron's
routes middleware. By making API requests involving nonexistent
controllers, an authenticated user may cause the API worker to
consume increasing amounts of memory, resulting in API performance
degradation or denial of service. All Neutron deployments are
affected.
Patches
~~~~~~~
- https://review.opendev.org/807638 (Queens)
- https://review.opendev.org/807637 (Rocky)
- https://review.opendev.org/807636 (Stein)
- https://review.opendev.org/807635 (Train)
- https://review.opendev.org/807634 (Ussuri)
- https://review.opendev.org/807633 (Victoria)
- https://review.opendev.org/807632 (Wallaby)
- https://review.opendev.org/807335 (Xena)
Credits
~~~~~~~
- Slawek Kaplonski from Red Hat (CVE-2021-40797)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1942179
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797
Notes
~~~~~
- The stable/train, stable/stein, stable/rocky, and stable/queens
branches are under extended maintenance and will receive no new
point releases, but patches for them are provided as a courtesy.
--
Jeremy Stanley
Attached Files:
-
signature.asc (0.94 KB)