Date: Tue, 16 Sep 2014 00:58:43 +1000 From: Grant Murphy <gmurphy@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request for vulnerability in OpenStack Neutron A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Admin-only network attributes may be reset to defaults by non-privileged users Reporter: Elena Ezhova (Mirantis) Products: Neutron Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 Description: Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw. References: https://launchpad.net/bugs/1357379 Thanks in advance, -- Grant Murphy OpenStack Vulnerability Management Team Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.