Comment 8 for bug 1668410

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Given this was purported to gave been fixed in master by https://review.openstack.org/365653 prior to the Newton release and it in turn claims to be fixing bug 1607381 (which itself makes mention of an infinite loop bug 1606844 which is also questioned as a possible dupe for bug 1605546, bug 1533441, bug 1533457 and bug 1605546, some of which are still open), it's not entirely clear to me the degree to which this has been solved so some summary from neutron-coresec reviewers would be particularly appreciated.

That aside, "denial of service" conditions arising from unconstrained resource consumption by authenticated users is a grey area we struggle with classifying. At some point, operators must have a means of identifying abuse by their users, locking them out and cleaning up the mess. In a "typical" production deployment servicing potentially risky users, how quickly can an abuser "fill up" your logs doing this? Will your monitoring system alert operations to the increase in activity and disk utilization in reasonable time for them to take mitigating action? Are deployments likely to include rate-limiting proxies which further throttle problem API calls such as these?

In most cases, we triage such reports as security hardening opportunities (class D in our taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy ) and since this report is already public there's no harm in doing that for now while entertaining further discussion on whether it should be reclassed and any potential advisory issued.