[no-OSSN-yet] Eventlet green threads not released back to the pool leading to choking of new requests (no-CVE-yet)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
Medium
|
Alexey Khivin | ||
5.1.x |
Won't Fix
|
Medium
|
Unassigned | ||
6.0.x |
Won't Fix
|
Medium
|
Unassigned | ||
6.1.x |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Tushar Patil reported vulnerability affecting all or most of OpenStack APIs.
It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack.
References to proposed upstream patches:
https:/
Please review if this applies to MOS, every single API component we ship with 7.0
Changed in mos: | |
assignee: | MOS Maintenance (mos-maintenance) → Alexey Khivin (akhivin) |
Changed in mos: | |
status: | Confirmed → In Progress |
tags: | added: heat |
Changed in mos: | |
status: | In Progress → Fix Committed |
tags: | removed: 70mu1-confirmed |
Changed in mos: | |
importance: | High → Medium |
information type: | Private Security → Public Security |
https:/ /review. openstack. org/224941 needs to be cherry-picked