Bug 1118833 (CVE-2014-3555)
| Summary: | CVE-2014-3555 openstack-neutron: Denial of Service in Neutron allowed address pair | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, ihrachys, jrusnack, lhh, lpeer, markmc, mmcallis, nyechiel, rbryant, sclewis, security-response-team, yeylon | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: |
A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2014-09-03 01:58:54 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 1121941, 1122428, 1125946, 1125947, 1125948 | ||||||||||
| Bug Blocks: | 1118835 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Vasyl Kaigorodov
2014-07-11 15:58:00 UTC
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Liping Mao from Cisco as the original reporter. Created attachment 917901 [details] master/juno patch for CVE-2014-3555 Created attachment 917902 [details] stable/havana patch for CVE-2014-3555 Created attachment 917904 [details] stable/icehouse patch for CVE-2014-3555 This issue is public: http://seclists.org/oss-sec/2014/q3/200 Created openstack-neutron tracking bugs for this issue: Affects: fedora-20 [bug 1122428] openstack-neutron-2013.2.3-13.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Any updates on RHOSP trackers? This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1078 https://rhn.redhat.com/errata/RHSA-2014-1078.html IssueDescription: A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable. This issue has been addressed in following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1120 https://rhn.redhat.com/errata/RHSA-2014-1120.html This issue has been addressed in following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1119 https://rhn.redhat.com/errata/RHSA-2014-1119.html |