Date: Tue, 30 Sep 2014 00:12:23 +1000 From: Grant Murphy <gmurphy@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414) OpenStack Security Advisory: OSSA-2014-031 CVE: CVE-2014-6414 Date: September 29, 2014 Title: Admin-only network attributes may be reset to defaults by non-privileged users Reporter: Elena Ezhova (Mirantis) Products: Neutron Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 Description: Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw. Juno (development branch) fix: https://review.openstack.org/114531 Icehouse fix: https://review.openstack.org/123849 Notes: This fix will be included in the Juno release 2014.2.0 and in future 2014.1.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6414 https://launchpad.net/bugs/1357379 -- Grant Murphy OpenStack Vulnerability Management Team Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.