Date: Tue, 23 Jun 2015 10:08:54 -0700 From: Tristan Cacqueray <tdecacqu@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2015-012] Neutron L2 agent DoS through incorrect allowed address pairs (CVE-2015-3221) =========================================================================== OSSA-2015-012: Neutron L2 agent DoS through incorrect allowed address pairs =========================================================================== :Date: June 23, 2015 :CVE: CVE-2015-3221 Affects ~~~~~~~ - Neutron: 2014.2 versions through 2014.2.3 and 2015.1.0 version Description ~~~~~~~~~~~ Darragh O'Reilly from HP reported a vulnerability in Neutron. By adding an address pair which is rejected as invalid by the ipset tool, an authenticated user may crash the Neutron L2 agent resulting in a denial of service attack. Neutron setups using the IPTables firewall driver are affected. Patches ~~~~~~~ - https://review.openstack.org/194696 (Juno) - https://review.openstack.org/194697 (Kilo) - https://review.openstack.org/194695 (Liberty) Credits ~~~~~~~ - Darragh O'Reilly from HP (CVE-2015-3221) References ~~~~~~~~~~ - https://launchpad.net/bugs/1461054 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3221 Notes ~~~~~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases. - Zero prefixed address pairs are no longer accepted by the Juno API, users need to use 0.0.0.0/1 and 188.8.131.52/1 or ::/1 and 8000::/1 instead. The fix_zero_length_ip_prefix.py tool is provided to clean ports previously configured with a zero prefixed address pair -- Tristan Cacqueray OpenStack Vulnerability Management Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ