On 9/13/21 7:31 PM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:18.1.0-3
> Severity: important
> Tags: security upstream
> Forwarded: https://bugs.launchpad.net/neutron/+bug/1942179
> X-Debbugs-Cc: [email protected], Debian Security Team 
> <[email protected]>
> 
> Hi,
> 
> The following vulnerability was published for neutron.
> 
> CVE-2021-40797[0]:
> | An issue was discovered in the routes middleware in OpenStack Neutron
> | before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making
> | API requests involving nonexistent controllers, an authenticated user
> | may cause the API worker to consume increasing amounts of memory,
> | resulting in API performance degradation or denial of service.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-40797
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797
> [1] https://bugs.launchpad.net/neutron/+bug/1942179
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 

Hi Salvatore,

According to the launchpad bug, it feels like the issue is when using
Eventlet as web server (ie: the integrated Python web server), but in
Debian, the Neutron API is served over uwsgi. In such case, the API
process just dies after it serves a query, if I'm not mistaking.
Therefore, I don't think Debian would be affected.

This is to be confirmed, as I asked in the #openstack-neutron IRC
channel (also on OFTC), and I'm still waiting for a reply.

Cheers,

Thomas Goirand (zigo)

Reply via email to