Openstack-neutron: unrestricted creation of security groups (fix for cve-2022-3277)
Description
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-3637 describes an uncontrolled resource consumption flaw in openstack-neutron allowing a remote authenticated user to trigger a denial of service via requests for security groups of an invalid project.
Vulnerability
Description CVE-2023-3637 is an uncontrolled resource consumption flaw in OpenStack Networking (neutron). The root cause is that when a remote authenticated user queries a list of security groups for an invalid project, the system creates resources that are not constrained by the user's quota [1][2][4]. This effectively bypasses the intended limits on resource usage, allowing a single, authenticated user to exhaust system resources.
Attack
Vector An authenticated user with network access to the OpenStack API can exploit this by sending a significant number of requests for a list of security groups tied to a non-existent (invalid) project. The vulnerability does not require any special privileges beyond standard user authentication. The attack is performed remotely over the network [1][2].
Impact
Successful exploitation leads to uncontrolled resource consumption, which can result in a denial of service (DoS) condition. The user's quota is not enforced, so a modest number of requests can exhaust backend resources, potentially affecting the availability of the neutron service for legitimate users [2][4]. Red Hat has rated this as a Moderate severity issue [3].
Mitigation
Red Hat released an advisory RHSA-2023:4283 on 2023-07-26 to address this flaw in Red Hat OpenStack Platform 16.2 (Train) [3]. The update includes a fix that properly constrains resource creation by enforcing user quotas. Organizations running affected versions should apply the security update to prevent exploitation.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neutronPyPI | <= 22.0.2 | — |
Affected products
7- Red Hat/Red Hat OpenStack Platform 16.1v5cpe:/a:redhat:openstack:16.1
- Red Hat/Red Hat OpenStack Platform 16.2v5cpe:/a:redhat:openstack:16.2::el8Range: 1:15.3.5-2.20230216175503.el8ost
- Red Hat/Red Hat OpenStack Platform 17.0v5cpe:/a:redhat:openstack:17.0
- Red Hat/Red Hat OpenStack Platform 17.1v5cpe:/a:redhat:openstack:17.1
- Red Hat/Red Hat OpenStack Platform 18.0v5cpe:/a:redhat:openstack:18.0
- Red Hat/Red Hat OpenStack Platform 13 (Queens) Operational Toolsv5cpe:/a:redhat:openstack-optools:13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- access.redhat.com/errata/RHSA-2023:4283ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-r3jh-qhgj-gvr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-3637ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-3637ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
News mentions
0No linked articles in our index yet.