Date: Fri, 28 Mar 2014 01:48:56 +1000 From: Grant Murphy <gmurphy@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056) OpenStack Security Advisory: 2014-008 CVE: CVE-2014-0056 Date: March 27, 2014 Title: Routers can be cross plugged by other tenants Reporter: Aaron Rosen (VMWare) Products: Neutron Affects: 2012.2 versions up to 2013.2.2 Description: Aaron Rosen from VMWare reported a vulnerability where Neutron fails to perform proper authorization checks when creating ports. By choosing a device id of a router from a different tenant when creating a port, an authenticated user can access the network of other tenants. This affects deployments of Neutron using plugins relying on the l3-agent. Icehouse (development branch) fix: https://review.openstack.org/83391 Havana fix: https://review.openstack.org/83393 Notes: One should perform and audit of the ports that are already attached to routers after applying this patch and remove ports that a tenant may have cross plugged. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0056 https://bugs.launchpad.net/bugs/1243327 -- Grant Murphy OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (231 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.