Date: Tue, 22 Apr 2014 15:15:03 +0200 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-014] Neutron security groups bypass through invalid CIDR (CVE-2014-0187) OpenStack Security Advisory: 2014-014 CVE: CVE-2014-0187 Date: April 22, 2014 Title: Neutron security groups bypass through invalid CIDR Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom) Products: Neutron Versions: 2013.1 to 2013.2.3, and 2014.1 Description: Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche Telekom reported a vulnerability in Neutron security groups. By creating a security group rule with an invalid CIDR, an authenticated user may break openvswitch-agent process, preventing further rules from being applied on the host. Note: removal of the faulty rule is not enough, the openvswitch-agent must be restarted. All Neutron setups using Open vSwitch are affected. Juno (development branch) fix: https://review.openstack.org/59212 Icehouse fix: https://review.openstack.org/88674 Havana fix: https://review.openstack.org/88057 Notes: This fix will be included in the juno-1 development milestone and in future 2013.2.4 and 2014.1.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0187 https://launchpad.net/bugs/1300785 -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.