Hide Forgot
The OpenStack project reports: Title: Denial of Service in Neutron allowed address pair Reporter: Liping Mao (Cisco) Products: Neutron Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1 Description: Liping Mao from Cisco reported a denial of service vulnerability in Neutron's handling of allowed address pair. By creating a large number of allowed address pairs, an authenticated user may overwhelm neutron firewall rules and render compute nodes unusable. All Neutron setups are affected.
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Liping Mao from Cisco as the original reporter.
Created attachment 917901 [details] master/juno patch for CVE-2014-3555
Created attachment 917902 [details] stable/havana patch for CVE-2014-3555
Created attachment 917904 [details] stable/icehouse patch for CVE-2014-3555
This issue is public: http://seclists.org/oss-sec/2014/q3/200
Created openstack-neutron tracking bugs for this issue: Affects: fedora-20 [bug 1122428]
openstack-neutron-2013.2.3-13.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Any updates on RHOSP trackers?
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1078 https://rhn.redhat.com/errata/RHSA-2014-1078.html
IssueDescription: A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable.
This issue has been addressed in following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1120 https://rhn.redhat.com/errata/RHSA-2014-1120.html
This issue has been addressed in following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1119 https://rhn.redhat.com/errata/RHSA-2014-1119.html