OSSA-2012-009: Scheduler denial of service through scheduler_hints

OSSA-2012-009: Scheduler denial of service through scheduler_hints

Date

July 11, 2012

CVE

CVE-2012-3371

Affects

  • Nova: Essex, Folsom series

Description

Dan Prince from Red Hat reported a vulnerability in Nova scheduler nodes. By creating servers with malicious scheduler_hints, an authenticated user may generate a huge amount of database calls, potentially resulting in a Denial of Service attack against Nova scheduler nodes. Only setups exposing the OpenStack API and enabling DifferentHostFilter and/or SameHostFilter are affected.

Credits

  • Dan Prince from Red Hat (CVE-2012-3371)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.