OSSA-2021-006: Routes middleware memory leak for nonexistent controllers

Date:

September 09, 2021

CVE:

CVE-2021-40797

Affects

• Neutron: <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1

Description

Slawek Kaplonski with Red Hat reported a vulnerability in Neutron’s routes middleware. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service. All Neutron deployments are affected.

Patches

• https://review.opendev.org/807638 (Queens)

• https://review.opendev.org/807637 (Rocky)

• https://review.opendev.org/807636 (Stein)

• https://review.opendev.org/807635 (Train)

• https://review.opendev.org/807634 (Ussuri)

• https://review.opendev.org/807633 (Victoria)

• https://review.opendev.org/807632 (Wallaby)

• https://review.opendev.org/807335 (Xena)

Credits

• Slawek Kaplonski from Red Hat (CVE-2021-40797)

References

• https://launchpad.net/bugs/1942179

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797

Notes

• The stable/train, stable/stein, stable/rocky, and stable/queens branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.