neutron: CVE-2021-40797: Routes middleware memory leak for nonexistent controllers

Debian Bug report logs - #994202
neutron: CVE-2021-40797: Routes middleware memory leak for nonexistent controllers

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: neutron: CVE-2021-40797: Routes middleware memory leak for nonexistent controllers

Date: Mon, 13 Sep 2021 19:31:03 +0200

Source: neutron
Version: 2:18.1.0-3
Severity: important
Tags: security upstream
Forwarded: https://bugs.launchpad.net/neutron/+bug/1942179
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for neutron.

CVE-2021-40797[0]:
| An issue was discovered in the routes middleware in OpenStack Neutron
| before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making
| API requests involving nonexistent controllers, an authenticated user
| may cause the API worker to consume increasing amounts of memory,
| resulting in API performance degradation or denial of service.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-40797
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797
[1] https://bugs.launchpad.net/neutron/+bug/1942179

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 994202@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: Salvatore Bonaccorso <carnil@debian.org>, 994202@bugs.debian.org

Subject: Re: Bug#994202: neutron: CVE-2021-40797: Routes middleware memory leak for nonexistent controllers

Date: Tue, 14 Sep 2021 09:29:07 +0200

On 9/13/21 7:31 PM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:18.1.0-3
> Severity: important
> Tags: security upstream
> Forwarded: https://bugs.launchpad.net/neutron/+bug/1942179
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for neutron.
> 
> CVE-2021-40797[0]:
> | An issue was discovered in the routes middleware in OpenStack Neutron
> | before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making
> | API requests involving nonexistent controllers, an authenticated user
> | may cause the API worker to consume increasing amounts of memory,
> | resulting in API performance degradation or denial of service.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-40797
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797
> [1] https://bugs.launchpad.net/neutron/+bug/1942179
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 

Hi Salvatore,

According to the launchpad bug, it feels like the issue is when using
Eventlet as web server (ie: the integrated Python web server), but in
Debian, the Neutron API is served over uwsgi. In such case, the API
process just dies after it serves a query, if I'm not mistaking.
Therefore, I don't think Debian would be affected.

This is to be confirmed, as I asked in the #openstack-neutron IRC
channel (also on OFTC), and I'm still waiting for a reply.

Cheers,

Thomas Goirand (zigo)

Message #15 received at 994202-done@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: Salvatore Bonaccorso <carnil@debian.org>, 994202-done@bugs.debian.org, security@debian.org

Subject: Re: Bug#994202: neutron: CVE-2021-40797: Routes middleware memory leak for nonexistent controllers

Date: Tue, 14 Sep 2021 11:00:35 +0200

On 9/13/21 7:31 PM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:18.1.0-3
> Severity: important
> Tags: security upstream
> Forwarded: https://bugs.launchpad.net/neutron/+bug/1942179
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for neutron.
> 
> CVE-2021-40797[0]:
> | An issue was discovered in the routes middleware in OpenStack Neutron
> | before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making
> | API requests involving nonexistent controllers, an authenticated user
> | may cause the API worker to consume increasing amounts of memory,
> | resulting in API performance degradation or denial of service.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-40797
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797
> [1] https://bugs.launchpad.net/neutron/+bug/1942179
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 

Hi Salvatore,

I just confirmed this with upstream: neutron-api is *NOT* affected by
this problem because we're using UWSGI ! :)

Please set the security tracker accordingly.

Cheers,

Thomas Goirand (zigo)

Send a report that this bug log contains spam.