
oss-sec mailing list archives
[OSSA 2012-009] Scheduler denial of service through scheduler_hints (CVE-2012-3371)
From: Thierry Carrez <thierry () openstack org>
Date: Wed, 11 Jul 2012 18:43:07 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2012-009 CVE: CVE-2012-3371 Date: July 11, 2012 Title: Scheduler denial of service through scheduler_hints Impact: Medium Reporter: Dan Prince (Red Hat) Products: Nova Affects: Essex, Folsom series Description: Dan Prince from Red Hat reported a vulnerability in Nova scheduler nodes. By creating servers with malicious scheduler_hints, an authenticated user may generate a huge amount of database calls, potentially resulting in a Denial of Service attack against Nova scheduler nodes. Only setups exposing the OpenStack API and enabling DifferentHostFilter and/or SameHostFilter are affected. Fixes: Folsom: https://github.com/openstack/nova/commit/034762e8060dcf0a11cb039b9d426b0d0bb1801d Essex: https://github.com/openstack/nova/commit/25f5bd31805bd21d7b7e3583c775252aa8f737e9 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3371 https://bugs.launchpad.net/nova/+bug/1017795 Notes: This fix will be included in the folsom-3 development milestone (published next month) and in future Essex releases. - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJP/a0VAAoJEFB6+JAlsQQjRdIP/3jbLZFlixAbH6IXGlcXPnDj CFPTKo+cCbKjRWarbY738O17M4mYrFRnSq+o6tsQ4+YAgHtEtsSsAhimJ49y1H6G uQo8KURudVEiZ/ues2GJl4fQuEhRHCBaBhvCqIkhlY3s3OnvCzLGVWTQs48y8SdY 7o4PyV7zwMugidiugEwW3DxtzOQyPNrt0y5KuWem1QTc+ODSPRyfxEp0FpPoZ6Hj t6C+E3mZ1FNO119W+IjhhSJjEiyeg0pEZeCeqQaapoSRbwZXiCo/qPOuE9KQD2oW jgnZ21HmMAQC5YsOLwuRL6/1Ht/Yl/TBF0oVRPTh9T7+Lfzp2y1dXwVlmwOzjnVO 3nWA5l9Kuk7lOOjsQCzxCVSH92QyBfR+9XdDzRqDZzBF+tpq/5rI7qCzcpz+4RMM UH+6tvdB0Nye/eH0m8RP0HcxTEpM+1uPP/YDVWcP3IB9tLG9YAT6ZfGYf95N12kS tyqxklt952vgTEHqXqkW4as2bx0E8oigHRzGEWCCmtaMGs1QmM70p0Q1rC/QNyOp ZX63yj9eldl7wn9VUV03Ixe29qWrPLrpLg4gYEu4V53II0+9vmzHMTzWrQR4/HGw jgnwu4/OPEvpiN67fOUWLa6ZbX4XxBomwCD+CzJUblcWT19ukJKCrFLLYYq5m+PQ OZnFoLBQnTXPwWi+URXo =pIZB -----END PGP SIGNATURE-----
Current thread:
- [OSSA 2012-009] Scheduler denial of service through scheduler_hints (CVE-2012-3371) Thierry Carrez (Jul 11)