oss-sec mailing list archives

CVE request for vulnerability in OpenStack Neutron

From: Grant Murphy <gmurphy () redhat com>
Date: Tue, 16 Sep 2014 00:58:43 +1000


A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.

Title: Admin-only network attributes may be reset to defaults by
non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Description:
Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating
a network attribute with a default value a non-privileged user may reset
admin-only network attributes. This may lead to unexpected behavior with
security implications for operators with a custom policy.json, or in some
extreme cases network outages resulting in denial of service. All
deployments using neutron networking are affected by this flaw.


References:
https://launchpad.net/bugs/1357379

Thanks in advance,

--
Grant Murphy
OpenStack Vulnerability Management Team

Attachment: _bin
Description:

Current thread:

CVE request for vulnerability in OpenStack Neutron Grant Murphy (Sep 15)
- Re: CVE request for vulnerability in OpenStack Neutron cve-assign (Sep 15)