Date: Fri, 10 Jun 2016 12:43:27 -0400 (EDT) From: cve-assign@...re.org To: tdecacqu@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for vulnerability in OpenStack Neutron -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Title: Neutron IPTables firewall anti-spoof protection bypass > independently reported vulnerabilities in Neutron > anti-spoof protection. By forging DHCP discovery messages or non-IP > traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source > addresses on attached networks resulting in denial of services and/or > traffic interception. Moreover when L2population isn't used, other > tenants attached to a shared network are also vulnerable. Neutron > setups using the IPTables firewall driver are affected. > The dhcp fix has been included in the 8.0.0 release and this > request probably needs more than one CVE. >> https://bugs.launchpad.net/neutron/+bug/1502933/comments/21 >> Just to be clear, the ICMPv6 source address spoof isn't addressed by >> bug 1558658 patch (I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78). >> Since both issues abuse the same fundamental flaw, it seems like a >> good opportunity to bundle both fix in a single advisory. >> However, because we need different patch, this will likely requires 2 >> different CVE numbers... > https://bugs.launchpad.net/bugs/1558658 (DHCP spoofing because the rule had only > -p udp -m udp --sport 68 --dport 67) Use CVE-2016-5362. > https://bugs.launchpad.net/bugs/1558658 (MAC source address spoofing) Use CVE-2016-5363. > https://bugs.launchpad.net/bugs/1502933 (ICMPv6 source address spoofing) Use CVE-2015-8914. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXWuzyAAoJEHb/MwWLVhi2bBAQAKsmBq6+BILn7sflHZr1biSs 1bGOleiu+F947NAp5zzqjv9riowFneB7fCTPJ3uSXueCSNEyGFDIVPR80M7MWKdv vtTUnLT8GLl9P2ZkvdYLaIW12UQq2OQF5nA0kuz8piVJx5Mx6M9rMypw83cKlIfw iovaJMZuI6ZSsYmdm8RJiEyhRO+fyTXSYi/i7/6UqGUnZuBU4//KvkTqE3ZHWw6K 4HRaFIDVFljIHJpLgdIyLDBoMymxf7yYSvMVAX7f74drOLkQd+LyMYnLzR6dLCtc sFR31f3f1v+lFSYTXdklEF/toSu6pNHauffcmxAWLpn3vOLJbzKpZZ2I23uDPQSZ cOJ0ygs+ZbIXABaRsfBiU6bk0uiXvGqyifcFZnoayWPpCyN65qrdJlgMYBjhprVa g1TEnJ7I+H/6FVTbvpdHo+m0YVS2oF3/Wy2B2FrpdCC43aTPYCzEWNmlQfl8MY39 aGdLugde8eOhWOJQugnqe94CxbAdcR2H/BTh28XaABhLdDwrnU6XSWY56pzcu1ys ctYo8aPPsgHr9SC6c7noBfO3RMQGqkLOFakjjPGUmMHQ3Fz/Rz3pljVFZYwaQ8aS BPvpQ2DtsHo9VSDt/t6srftFNWC2B91lbOj68aKm32rXq4rDuuNtS3pbmFpphjgv WUQ3XjzlzzoHO3TR4PHY =5QDQ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.