DescriptionMurray McAllister
2014-02-10 06:28:55 UTC
The OpenStack project reports:
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: 2012.2 versions up to 2013.2.2
Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails to
perform proper authorization checks when creating ports. By choosing a
device id of a router from a different tenant when creating a port, an
authenticated user can access the network of other tenants. This affects
deployments of Neutron using plugins relying on the l3-agent.
Comment 1Murray McAllister
2014-02-10 06:29:51 UTC
Acknowledgements:
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Aaron Rosen from VMware as the original reporter.
Comment 4Murray McAllister
2014-03-28 06:13:00 UTC