[OSSA 2015-001] L3 agent denial of service with radvd 2.0+ (CVE-2014-8153)

[Tristan Cacqueray <tristan.cacqueray () enovance com>]

=========================================================
OSSA-2015-001: L3 agent denial of service with radvd 2.0+
=========================================================

:Date: January 08, 2015
:CVE: CVE-2014-8153


Affects
~~~~~~~
- Neutron: 2014.2 version up to 2014.2.1


Description
~~~~~~~~~~~
Ihar Hrachyshka from Red Hat reported a vulnerability in Neutron. By
creating 8 routers and assigning each of them a non-provider ipv6
subnet, a malicious user may block router update processing for all
tenants, potentially resulting in a Denial of Service. Only Neutron
setups running with radvd 2.0+ are affected.


Patches
~~~~~~~
- https://review.openstack.org/141575 (Juno)
- https://review.openstack.org/138688 (Kilo)


Credits
~~~~~~~
- Ihar Hrachyshka from Red Hat (CVE-2014-8153)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1399172
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8153


Notes
~~~~~
- This fix will be included in a future 2014.2.2 release.
- The OSSA announce format for the 2015 advisories has been changed to
  RST.

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature