CVE-2022-3277
Description
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote authenticated user can cause uncontrolled resource consumption in OpenStack Neutron by listing security groups for an invalid project, leading to denial of service.
Vulnerability
Overview
CVE-2022-3277 describes an uncontrolled resource consumption flaw in OpenStack Neutron. The root cause is that Neutron does not properly validate the project_id parameter when processing requests to list security groups. When a non-admin user sends a request with project_id=None, Neutron creates a default security group for that project instead of returning an authorization error [1][2]. This behavior bypasses user quota controls, allowing the creation of resources that are not counted against the user's limits.
Exploitation
A remote authenticated attacker (non-admin) can exploit this by making API calls to list security groups with project_id=None. While the OpenStack client may have a client-side check that prevents this (since Queens release), direct API calls to the Neutron server bypass that check [2]. By repeatedly sending such requests, the attacker forces Neutron to create many default security groups, consuming server resources (e.g., database entries, memory) without any quota enforcement.
Impact
Successful exploitation leads to a denial of service (DoS) condition. The uncontrolled creation of security groups can exhaust server resources, degrading performance or causing Neutron to become unresponsive for legitimate users. The issue is classified as critical in the Neutron bug tracker [4].
Mitigation
The vulnerability has been fixed in Neutron (status: Fix Released) [4]. Users should update to the latest patched version. As a workaround, administrators can enforce project validation at the API level or ensure that client-side checks are in place to prevent users from specifying invalid project IDs [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neutronPyPI | >= 19.0.0.0rc1, < 19.5.0 | 19.5.0 |
neutronPyPI | < 18.6.0 | 18.6.0 |
neutronPyPI | >= 20.0.0.0rc1, < 20.3.0 | 20.3.0 |
Affected products
2- openstack/neutrondescription
Patches
6d0e1b54fb1deDo not allow a tenant to create a default SG for another one
2 files changed · +16 −0
neutron/db/securitygroups_db.py+4 −0 modified@@ -861,6 +861,10 @@ def _ensure_default_security_group(self, context, tenant_id): :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id)
neutron/tests/unit/db/test_securitygroups_db.py+12 −0 modified@@ -615,3 +615,15 @@ def test__ensure_default_security_group_when_disabled(self): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called()
cbeee87fa44cDo not allow a tenant to create a default SG for another one
2 files changed · +16 −0
neutron/db/securitygroups_db.py+4 −0 modified@@ -862,6 +862,10 @@ def _ensure_default_security_group(self, context, tenant_id): :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id)
neutron/tests/unit/db/test_securitygroups_db.py+12 −0 modified@@ -615,3 +615,15 @@ def test__ensure_default_security_group_when_disabled(self): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called()
717e3e09556fDo not allow a tenant to create a default SG for another one
2 files changed · +16 −0
neutron/db/securitygroups_db.py+4 −0 modified@@ -931,6 +931,10 @@ def _ensure_default_security_group(self, context, tenant_id): :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id)
neutron/tests/unit/db/test_securitygroups_db.py+12 −0 modified@@ -659,3 +659,15 @@ def test__ensure_default_security_group_when_disabled(self): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called()
01fc2b9195f9Do not allow a tenant to create a default SG for another one
2 files changed · +16 −0
neutron/db/securitygroups_db.py+4 −0 modified@@ -928,6 +928,10 @@ def _ensure_default_security_group(self, context, tenant_id): :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id)
neutron/tests/unit/db/test_securitygroups_db.py+12 −0 modified@@ -660,3 +660,15 @@ def test__ensure_default_security_group_when_disabled(self): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called()
733ef4f2d8c2Do not allow a tenant to create a default SG for another one
2 files changed · +16 −0
neutron/db/securitygroups_db.py+4 −0 modified@@ -915,6 +915,10 @@ def _ensure_default_security_group(self, context, tenant_id): :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id)
neutron/tests/unit/db/test_securitygroups_db.py+12 −0 modified@@ -617,3 +617,15 @@ def test__ensure_default_security_group_when_disabled(self): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called()
fd7fb0e9d8c6Do not allow a tenant to create a default SG for another one
2 files changed · +16 −0
neutron/db/securitygroups_db.py+4 −0 modified@@ -930,6 +930,10 @@ def _ensure_default_security_group(self, context, tenant_id): :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id)
neutron/tests/unit/db/test_securitygroups_db.py+12 −0 modified@@ -660,3 +660,15 @@ def test__ensure_default_security_group_when_disabled(self): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-w446-h7vg-wv3pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3277ghsaADVISORY
- bugs.launchpad.net/neutron/+bug/1988026ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/openstack/neutron/commit/01fc2b9195f999df4d810df4ee63f77ecbc81f7eghsaWEB
- github.com/openstack/neutron/commit/717e3e09556f1fb9a7a420863746fa785eb6c316ghsaWEB
- github.com/openstack/neutron/commit/733ef4f2d8c2a3734c360d1c1dd3a6fcd600cb8cghsaWEB
- github.com/openstack/neutron/commit/cbeee87fa44cd200d4997e02042098460167dce1ghsaWEB
- github.com/openstack/neutron/commit/d0e1b54fb1de932b2b30ab4269cf5789632df476ghsaWEB
- github.com/openstack/neutron/commit/fd7fb0e9d8c602380f54975367d935ab69e10c05ghsaWEB
News mentions
0No linked articles in our index yet.