oss-sec mailing list archives

[OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)

From: Grant Murphy <gmurphy () redhat com>
Date: Tue, 30 Sep 2014 00:12:23 +1000

OpenStack Security Advisory: OSSA-2014-031
CVE: CVE-2014-6414
Date: September 29, 2014

Title: Admin-only network attributes may be reset to defaults by non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Description:
Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network
attribute with a default value a non-privileged user may reset admin-only network
attributes. This may lead to unexpected behavior with security implications for
operators with a custom policy.json, or in some extreme cases network outages
resulting in denial of service. All deployments using neutron networking are
affected by this flaw.

Juno (development branch) fix:
https://review.openstack.org/114531

Icehouse fix:
https://review.openstack.org/123849

Notes:
This fix will be included in the Juno release 2014.2.0 and in
future 2014.1.3 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6414
https://launchpad.net/bugs/1357379

--
Grant Murphy
OpenStack Vulnerability Management Team

Attachment: _bin
Description:

Current thread:

[OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414) Grant Murphy (Sep 29)