It was reported that a vulnerability was found in Neutron. By changing the device owner of an instance's port right after it is created, an authenticated user may prevent application of firewall rules and so avoid IP anti-spoofing controls. All Neutron setups using the ML2 plugin or a plugin that relies on the security groups AMQP API are affected. All Neutron setups using the ML2 plugin or a plugin that relies on the security groups AMQP API are affected.
Vulnerability affects versions through 2014.2.3 and 2015.1 versions through 2015.1.1
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Kevin Benton from Mirantis as the original reporter.
Created openstack-neutron tracking bugs for this issue:
Affects: openstack-rdo [bug 1261385]
Affects: fedora-all [bug 1261386]
This issue has been addressed in the following products:
OpenStack 5 for RHEL 7
OpenStack 5 for RHEL 6
OpenStack 7 For RHEL 7
OpenStack 6 for RHEL 7
Via RHSA-2015:1909 https://rhn.redhat.com/errata/RHSA-2015-1909.html