Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1345891 - (CVE-2016-5363) CVE-2016-5363 openstack-neutron: MAC source address spoofing vulnerability
CVE-2016-5363 openstack-neutron: MAC source address spoofing vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160329,reported=2...
: Security
Depends On: 1349669 1349670 1350648 1350649 1350650 1350651 1350652 1350653
Blocks: 1345893
  Show dependency treegraph
 
Reported: 2016-06-13 07:42 EDT by Andrej Nemec
Modified: 2016-07-20 21:19 EDT (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Neutron functionality includes internal firewall management between networks. Due to the relaxed nature of particular rules, it is possible for machines on the same layer 2 networks to forge non-IP traffic, such as ARP and DHCP requests.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-20 21:19:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1473 normal SHIPPED_LIVE Low: openstack-neutron security and bug fix update 2016-07-20 23:53:43 EDT
Red Hat Product Errata RHSA-2016:1474 normal SHIPPED_LIVE Low: openstack-neutron security, bug fix, and enhancement update 2016-07-20 23:53:34 EDT

  None (edit)
Description Andrej Nemec 2016-06-13 07:42:43 EDT 
A vulnerability in Neutron anti-spoof protection. By forging DHCP discovery messages or non-IP traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source addresses on attached networks resulting in denial of services and/or traffic interception. Moreover when L2population isn't used, other tenants attached to a shared network are also vulnerable. Neutron setups using the IPTables firewall driver are affected.

Upstream bug:

https://bugs.launchpad.net/bugs/1558658

References:

http://seclists.org/oss-sec/2016/q2/519
Comment 1 Garth Mollett 2016-06-23 19:48:52 EDT 
Created openstack-neutron tracking bugs for this issue:

Affects: fedora-all [bug 1349669]
Affects: openstack-rdo [bug 1349670]
Comment 9 errata-xmlrpc 2016-07-20 19:54:14 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:1474 https://access.redhat.com/errata/RHSA-2016:1474
Comment 10 errata-xmlrpc 2016-07-20 19:55:40 EDT 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:1473 https://access.redhat.com/errata/RHSA-2016:1473
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.