CVE-2021-40797: 
Python vulnerability analysis and mitigation

A vulnerability (CVE-2021-40797) was discovered in the routes middleware of OpenStack Neutron affecting versions before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. The vulnerability was reported by Slawek Kaplonski from Red Hat and was disclosed on September 9, 2021 (OpenStack OSSA).

The vulnerability exists in Neutron's routes middleware where using the default singleton=True in the routes.middleware.RoutesMiddleware leads to issues with eventlet monkeypatching of the threading library. This implementation causes the thread-local RequestConfig singleton object to malfunction, resulting in memory leaks when API requests are made to nonexistent endpoints (Launchpad Bug).

When exploited, this vulnerability allows an authenticated user to cause the API worker to consume increasing amounts of memory by making API requests to nonexistent controllers. This can result in API performance degradation or complete denial of service for the Neutron service (OpenStack OSSA).

The issue has been fixed in multiple versions with patches provided for various OpenStack releases. The fix involves setting singleton=False in the RoutesMiddleware object. Updates are available for Queens, Rocky, Stein, Train, Ussuri, Victoria, Wallaby, and Xena releases (OpenStack OSSA).