CVE-2022-37394: 
Python vulnerability analysis and mitigation

CVE-2022-37394 is a vulnerability discovered in OpenStack Nova affecting versions before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. The vulnerability was reported by Balazs Gibizer from Red Hat and involves Nova's restart behavior when a Neutron port type is changed from 'direct' to 'macvtap' (Launchpad Bug).

The vulnerability occurs in OpenStack Nova's handling of vnictype changes. When a neutron port with vnictype 'direct' is created and bound to an instance, and then the vnictype is changed to 'macvtap', the compute service attempts to plug the vif of the changed port during initinstance. However, since the port now has macvtap vnictype, Nova tries to look up the netdev of the parent VF, which is still consumed by the instance, resulting in a failure to find the netdev on the host OS (Red Hat Advisory).

The vulnerability can cause the compute service to fail to restart, potentially resulting in a denial of service condition. This affects only Nova deployments configured with SR-IOV. The impact is considered low severity according to Red Hat's assessment (Red Hat Advisory).

The issue has been fixed in OpenStack Nova versions 23.2.2, 24.1.2, and 25.0.2. The fix includes adding an exception handler that logs an ERROR and continues initializing other instances on the host when the vnictype change is detected. Additionally, a detailed ERROR log is added when Nova detects the vnictype change during healinstanceinfocache periodic (Launchpad Bug).