OSSA-2012-009: Scheduler denial of service through scheduler_hints

Date:

July 11, 2012

CVE:

CVE-2012-3371

Affects

  • Nova: Essex, Folsom series

Description

Dan Prince from Red Hat reported a vulnerability in Nova scheduler nodes. By creating servers with malicious scheduler_hints, an authenticated user may generate a huge amount of database calls, potentially resulting in a Denial of Service attack against Nova scheduler nodes. Only setups exposing the OpenStack API and enabling DifferentHostFilter and/or SameHostFilter are affected.

Patches

Credits

  • Dan Prince from Red Hat (CVE-2012-3371)

References