CVE-2021-40797

NameCVE-2021-40797
DescriptionAn issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs994202

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
neutron (PTS)jessie2014.1.3-12vulnerable
stretch (security), stretch (lts), stretch2:9.1.1-3+deb9u3vulnerable
buster (security), buster, buster (lts)2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1fixed
bullseye (security), bullseye2:17.2.1-0+deb11u1fixed
bookworm2:21.0.0-7fixed
trixie2:25.0.0-3fixed
sid2:25.0.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
neutronsourcebuster2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1
neutronsourcebullseye2:17.2.1-0+deb11u1
neutronsource(unstable)2:19.0.0-1unimportant994202

Notes

https://launchpad.net/bugs/1942179
neutron-api in Debian is served over UWSGI, cf. https://bugs.debian.org/994202
and so serves the requests and stops the process.

Search for package or bug name: Reporting problems