Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1163457 - (CVE-2014-7821) CVE-2014-7821 openstack-neutron: DoS via maliciously crafted dns_nameservers
CVE-2014-7821 openstack-neutron: DoS via maliciously crafted dns_nameservers
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20141119,repor...
: Security
Depends On: 1165886 1165887 1166074 1166075 1166318 1168800
Blocks: 1163459
  Show dependency treegraph
 
Reported: 2014-11-12 13:06 EST by Vincent Danen
Modified: 2016-04-26 12:16 EDT (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way neutron handled the 'dns_nameservers' parameter. By providing specially crafted 'dns_nameservers' values, an authenticated user could use this flaw to crash the neutron service.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-13 19:10:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for CVE-2014-7821 (stable-juno) (1.46 KB, patch)
2014-11-12 13:09 EST, Vincent Danen 		no flags Details | Diff
patch for CVE-2014-7821 (stable-icehouse) (1.46 KB, patch)
2014-11-12 13:10 EST, Vincent Danen 		no flags Details | Diff
patch for CVE-2014-7821 (master-kilo) (1.46 KB, patch)
2014-11-12 13:10 EST, Vincent Danen 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 135616 None None None Never
Red Hat Product Errata RHSA-2014:1938 normal SHIPPED_LIVE Moderate: openstack-neutron security and bug fix update 2014-12-02 16:48:36 EST
Red Hat Product Errata RHSA-2014:1942 normal SHIPPED_LIVE Moderate: openstack-neutron security and bug fix update 2014-12-02 16:58:59 EST
Red Hat Product Errata RHSA-2015:0044 normal SHIPPED_LIVE Moderate: openstack-neutron security update 2015-01-13 17:57:13 EST

  None (edit)
Description Vincent Danen 2014-11-12 13:06:17 EST 
Reporter: Henry Yamauchi, Charles Neill and Michael Xin (Rackspace)
Products: Neutron
Versions: up to 2014.1.3 and 2014.2

Description:
Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a
vulnerability in Neutron. By configuring a maliciously crafted
dns_nameservers an authenticated user may crash Neutron service
resulting in a denial of service attack. All Neutron setups are
affected.


Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Henry Yamauchi, Charles Neill and Michael Xin (Rackspace) as the original reporters.
Comment 1 Vincent Danen 2014-11-12 13:09:48 EST 
Created attachment 956842 [details]
patch for CVE-2014-7821 (stable-juno)
Comment 2 Vincent Danen 2014-11-12 13:10:11 EST 
Created attachment 956843 [details]
patch for CVE-2014-7821 (stable-icehouse)
Comment 3 Vincent Danen 2014-11-12 13:10:43 EST 
Created attachment 956844 [details]
patch for CVE-2014-7821 (master-kilo)
Comment 5 Murray McAllister 2014-11-19 18:38:19 EST 
This issue is public now:

http://seclists.org/oss-sec/2014/q4/690
Comment 6 Murray McAllister 2014-11-19 18:41:20 EST 
Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1165886]
Affects: fedora-all [bug 1165887]
Comment 8 Martin Prpič 2014-11-25 04:04:34 EST 
IssueDescription:

A denial of service flaw was found in the way neutron handled the 'dns_nameservers' parameter. By providing specially crafted 'dns_nameservers' values, an authenticated user could use this flaw to crash the neutron service.
Comment 9 Ihar Hrachyshka 2014-11-25 13:10:17 EST 
I suspect we also need a bug for Havana (RHOS4).
Comment 11 Ihar Hrachyshka 2014-11-28 08:34:29 EST 
This fix introduced a regression: http://lists.openstack.org/pipermail/openstack-dev/2014-November/051757.html
Comment 12 errata-xmlrpc 2014-12-02 11:48:57 EST 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1938 https://rhn.redhat.com/errata/RHSA-2014-1938.html
Comment 13 errata-xmlrpc 2014-12-02 12:00:32 EST 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1942 https://rhn.redhat.com/errata/RHSA-2014-1942.html
Comment 14 errata-xmlrpc 2015-01-13 12:57:34 EST 
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2015:0044 https://rhn.redhat.com/errata/RHSA-2015-0044.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.