Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 23 Jun 2015 10:08:54 -0700
From: Tristan Cacqueray <>
Subject: [OSSA 2015-012] Neutron L2 agent DoS through incorrect allowed address
 pairs (CVE-2015-3221)

OSSA-2015-012: Neutron L2 agent DoS through incorrect allowed address pairs

:Date: June 23, 2015
:CVE: CVE-2015-3221

- Neutron: 2014.2 versions through 2014.2.3 and 2015.1.0 version

Darragh O'Reilly from HP reported a vulnerability in Neutron. By
adding an address pair which is rejected as invalid by the ipset tool,
an authenticated user may crash the Neutron L2 agent resulting in a
denial of service attack. Neutron setups using the IPTables firewall
driver are affected.

- (Juno)
- (Kilo)
- (Liberty)

- Darragh O'Reilly from HP (CVE-2015-3221)


- This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo)
- Zero prefixed address pairs are no longer accepted by the Juno API, users
  need to use and or ::/1 and 8000::/1 instead. The tool is provided to clean ports previously
  configured with a zero prefixed address pair

Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ