Miggo Logo
Miggo Vulnerability Database
CVE-2012-3371

CVE-2012-3371: OpenStack Nova Scheduler denial of service through scheduler_hints

3.5

CVSS Score

Basic Information

CVE ID
CVE-2012-3371
GHSA ID
GHSA-xxgm-qpj5-4886
EPSS Score
0.74386%
CWE
CWE-20
Published
5/17/2022
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:M/Au:S/C:N/I:N/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
Novapip< 12.0.0a012.0.0a0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from making individual database calls (compute_api.get()) for each UUID in scheduler_hints. The pre-patch implementation in DifferentHostFilter and SameHostFilter's host_passes methods iterated through UUIDs using _affinity_host(), which performed a separate database lookup for each UUID. This created a linear scaling problem where repeated UUIDs would trigger multiple redundant database queries. The commit 034762e replaced this pattern with a bulk lookup (compute_api.get_all()) in _all_hosts(), demonstrating the vulnerable pattern was in these filter methods and their dependency on _affinity_host.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Nov* s****ul*r in Op*nSt**k *omput* (Nov*) *olsom (****.*) *n* *ss*x (****.*), w**n *i***r*nt*ost*ilt*r or S*m**ost*ilt*r is *n**l**, *llows r*mot* *ut**nti**t** us*rs to **us* * **ni*l o* s*rvi** (*x**ssiv* **t***s* lookup **lls *n* s*rv*r **n*)

Reasoning

T** vuln*r**ility st*mm** *rom m*kin* in*ivi*u*l **t***s* **lls (*omput*_*pi.**t()) *or **** UUI* in s****ul*r_*ints. T** pr*-p*t** impl*m*nt*tion in *i***r*nt*ost*ilt*r *n* S*m**ost*ilt*r's *ost_p*ss*s m*t*o*s it*r*t** t*rou** UUI*s usin* _***inity_