Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 28 Mar 2014 01:48:56 +1000
From: Grant Murphy <>
Subject: [OSSA 2014-008]  Routers can be cross plugged by other tenants

OpenStack Security Advisory: 2014-008
CVE: CVE-2014-0056
Date: March 27, 2014
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: 2012.2 versions up to 2013.2.2

Aaron Rosen from VMWare reported a vulnerability where Neutron fails to
perform proper authorization checks when creating ports. By choosing a
device id of a router from a different tenant when creating a port, an
authenticated user can access the network of other tenants. This affects
deployments of Neutron using plugins relying on the l3-agent.

Icehouse (development branch) fix:

Havana fix:

One should perform and audit of the ports that are already attached to
routers after applying this patch and remove ports that a tenant may
have cross plugged.


Grant Murphy
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (231 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ