[OSSA 2014-039] Neutron DoS through invalid DNS configuration (CVE-2014-7821)

[Tristan Cacqueray <tristan.cacqueray () enovance com>]

OpenStack Security Advisory: 2014-039
CVE: CVE-2014-7821
Date: November 19, 2014
Title: Neutron DoS through invalid DNS configuration
Reporter: Henry Yamauchi, Charles Neill and Michael Xin (Rackspace)
Products: Neutron
Versions: up to 2014.1.3 and 2014.2

Description:
Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported
a vulnerability in Neutron. By configuring a maliciously crafted
dns_nameservers an authenticated user may crash Neutron service
resulting in a denial of service attack. All Neutron setups are affected.

Kilo (development branch) fix:
https://review.openstack.org/135616

Juno fix:
https://review.openstack.org/135623

Icehouse fix:
https://review.openstack.org/135624

Notes:
This fix will be included in future 2014.1.4 and 2014.2.1 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7821
https://launchpad.net/bugs/1378450

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature