From 4f5d81b664a81ad7ba4856fbabe1d3f1f12a14e8 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 8 Sep 2021 20:15:03 +0000 Subject: [PATCH] Add OSSA-2021-006 (CVE-2021-40797) Change-Id: Ie61b5ffbec78e8c90e5ad773c9479f0d7ae1b932 Closes-Bug: #1942179 --- ossa/OSSA-2021-006.yaml | 59 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 ossa/OSSA-2021-006.yaml diff --git a/ossa/OSSA-2021-006.yaml b/ossa/OSSA-2021-006.yaml new file mode 100644 index 0000000..59f20c2 --- /dev/null +++ b/ossa/OSSA-2021-006.yaml @@ -0,0 +1,59 @@ +date: 2021-09-09 + +id: OSSA-2021-006 + +title: Routes middleware memory leak for nonexistent controllers + +description: > + Slawek Kaplonski with Red Hat reported a vulnerability in Neutron's routes + middleware. By making API requests involving nonexistent controllers, an + authenticated user may cause the API worker to consume increasing amounts of + memory, resulting in API performance degradation or denial of service. All + Neutron deployments are affected. + +affected-products: + - product: Neutron + version: '<16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1' + +vulnerabilities: + - cve-id: CVE-2021-40797 + +reporters: + - name: Slawek Kaplonski + affiliation: Red Hat + reported: + - CVE-2021-40797 + +issues: + links: + - https://launchpad.net/bugs/1942179 + +reviews: + xena: + - https://review.opendev.org/807335 + + wallaby: + - https://review.opendev.org/807632 + + victoria: + - https://review.opendev.org/807633 + + ussuri: + - https://review.opendev.org/807634 + + train: + - https://review.opendev.org/807635 + + stein: + - https://review.opendev.org/807636 + + rocky: + - https://review.opendev.org/807637 + + queens: + - https://review.opendev.org/807638 + +notes: + - The stable/train, stable/stein, stable/rocky, and stable/queens branches + are under extended maintenance and will receive no new point releases, but + patches for them are provided as a courtesy.