A flaw was found in openstack-neutron. When merging port ranges, the code never assumed the conjunction ID might not be present in the set due to already being removed. This can lead to server crash and denial of service. Upstream patch: https://review.openstack.org/#/c/640252/ https://review.openstack.org/#/c/648102/2 https://review.openstack.org/#/c/648004/2 https://review.openstack.org/#/c/648003/2 https://review.openstack.org/#/c/648002/2 References: https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1813007 https://bugs.launchpad.net/ossa/+bug/1813007 https://review.openstack.org/#/q/topic:bug/1813007
Created openstack-neutron tracking bugs for this issue: Affects: openstack-rdo [bug 1695884]
Introduced in the following upstream committ. https://github.com/openstack/neutron/commit/237ec30ca94322716a1af5e59c0960f0eef24194
Statement: The pre-requisites for this vulnerability are not in Red Hat OpenStack prior to version 11, hence these versions are not affected.
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:0935 https://access.redhat.com/errata/RHSA-2019:0935
This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:0879 https://access.redhat.com/errata/RHSA-2019:0879