Bug 1934330 (CVE-2021-20267) - CVE-2021-20267 openstack-neutron: Anti-spoofing bypass using Open vSwitch
Summary: CVE-2021-20267 openstack-neutron: Anti-spoofing bypass using Open vSwitch
Alias: CVE-2021-20267
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
: 1962090 1962091 1962092 (view as bug list)
Depends On: 1934331 1934332 1934333 2003423
Blocks: 1895763
TreeView+ depends on / blocked
Reported: 2021-03-03 01:46 UTC by Summer Long
Modified: 2023-07-07 08:29 UTC (History)
13 users (show)

Fixed In Version: neutron 15.3.3, neutron 16.3.1, neutron 17.1.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch firewall driver are affected. Source: OpenStack project
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Summer Long 2021-03-03 01:46:52 UTC
VMs can send ICMPv6 Neighbor Advertisement packets with no check on their content to mis-direct traffic to them (source address spoofing).
Pre-condition: two running VMs in the same L2 flat network with IPv6 connectivity

Upstream bug: https://bugs.launchpad.net/neutron/+bug/1902917
Upstream patch: https://review.opendev.org/c/openstack/neutron/+/776599

See also: https://bugzilla.redhat.com/show_bug.cgi?id=1345892 (same issue but for OpenVSwitch driver instead of iptables)

Comment 2 Summer Long 2021-03-03 01:48:21 UTC
Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1934331]

Comment 7 Summer Long 2021-03-05 02:37:06 UTC

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 11 Slawek Kaplonski 2021-05-19 10:06:01 UTC
*** Bug 1962090 has been marked as a duplicate of this bug. ***

Comment 12 Slawek Kaplonski 2021-05-19 10:06:11 UTC
*** Bug 1962091 has been marked as a duplicate of this bug. ***

Comment 13 Slawek Kaplonski 2021-05-19 10:06:13 UTC
*** Bug 1962092 has been marked as a duplicate of this bug. ***

Comment 17 Slawek Kaplonski 2021-06-09 10:34:36 UTC
Fix included also in openstack-neutron-12.1.1-44.el7ost for OSP-13.0 already

Note You need to log in before you can comment on or make changes to this bug.