| Name | CVE-2021-40797 |
| Description | An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 994202 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| neutron (PTS) | jessie | 2014.1.3-12 | vulnerable |
| stretch (security), stretch (lts), stretch | 2:9.1.1-3+deb9u3 | vulnerable |
| buster (security), buster, buster (lts) | 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1 | fixed |
| bullseye (security), bullseye | 2:17.2.1-0+deb11u1 | fixed |
| bookworm | 2:21.0.0-7 | fixed |
| sid, trixie | 2:25.0.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| neutron | source | buster | 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1 | | | |
| neutron | source | bullseye | 2:17.2.1-0+deb11u1 | | | |
| neutron | source | (unstable) | 2:19.0.0-1 | unimportant | | 994202 |
Notes
https://launchpad.net/bugs/1942179
neutron-api in Debian is served over UWSGI, cf. https://bugs.debian.org/994202
and so serves the requests and stops the process.