Bug 1995273 (CVE-2021-38598)

Summary: CVE-2021-38598 openstack-neutron: Linuxbridge ARP filter bypass on Netfilter platforms
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chrisw, dalvarez, dbecker, jjoyce, jschluet, lhh, lpeer, mburns, rhos-maint, sclewis, scohen, slinaber, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: neutron 16.4.1, neutron 17.1.3 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in neutron's Linux bridge driver on newer Netfilter-based platforms. This flaw allows a malicious user in control of a server instance connected to the virtual switch to send a crafted packet and impersonate hardware addresses of other systems on the network. The highest threat from this vulnerability is to system availability, but could also result in the interception of traffic intended for other destinations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-23 03:34:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1995274    

Description Pedro Sampaio 2021-08-18 17:32:14 UTC 
===================================================================
OSSA-2021-004: Linuxbridge ARP filter bypass on Netfilter platforms
===================================================================

:Date: August 17, 2021
:CVE: CVE-2021-38598


Affects
~~~~~~~
- Neutron: <16.4.1, >=17.0.0 <17.1.3, ==18.0.0


Description
~~~~~~~~~~~
Jake Yip with ARDC and Justin Mammarella with the University of
Melbourne reported a vulnerability in Neutron's linuxbridge driver
on newer Netfilter-based platforms (the successor to IPTables). By
sending carefully crafted packets, anyone in control of a server
instance connected to the virtual switch can impersonate the
hardware addresses of other systems on the network, resulting in
denial of service or in some cases possibly interception of traffic
intended for other destinations. Only deployments using the
linuxbridge driver with ebtables-nft are affected.


Patches
~~~~~~~
- https://review.opendev.org/804058 (Train)
- https://review.opendev.org/804057 (Ussuri)
- https://review.opendev.org/804056 (Victoria)
- https://review.opendev.org/785917 (Wallaby)
- https://review.opendev.org/785177 (Xena)


Credits
~~~~~~~
- Jake Yip from ARDC (CVE-2021-38598)
- Justin Mammarella from University of Melbourne (CVE-2021-38598)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1938670
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38598


Notes
~~~~~
- The stable/train branch is under extended maintenance and will
  receive no new point releases, but a patch for it is provided as a
  courtesy.

-- 
Jeremy Stanley

References:

https://seclists.org/oss-sec/2021/q3/107
Comment 1 Product Security DevOps Team 2021-08-23 03:34:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-38598