Bug 1090132 (CVE-2014-0187) - CVE-2014-0187 openstack-neutron: security groups bypass through invalid CIDR
Summary: CVE-2014-0187 openstack-neutron: security groups bypass through invalid CIDR
Alias: CVE-2014-0187
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1090136 1090137 1099099 1099103 1099104
Blocks: 1090135
TreeView+ depends on / blocked
Reported: 2014-04-22 16:22 UTC by Vincent Danen
Modified: 2021-02-17 06:37 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-17 04:48:39 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0899 0 normal SHIPPED_LIVE Moderate: openstack-neutron security, bug fix, and enhancement update 2014-07-17 08:28:02 UTC

Description Vincent Danen 2014-04-22 16:22:44 UTC
OpenStack Security Advisory: 2014-014
CVE: CVE-2014-0187
Date: April 22, 2014
Title: Neutron security groups bypass through invalid CIDR
Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1

Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche
Telekom reported a vulnerability in Neutron security groups. By creating
a security group rule with an invalid CIDR, an authenticated user may
break openvswitch-agent process, preventing further rules from being
applied on the host. Note: removal of the faulty rule is not enough, the
openvswitch-agent must be restarted. All Neutron setups using Open
vSwitch are affected.

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.


Comment 2 Vincent Danen 2014-04-22 16:28:17 UTC
Created openstack-neutron tracking bugs for this issue:

Affects: fedora-20 [bug 1090136]

Comment 3 Ihar Hrachyshka 2014-05-21 11:13:24 UTC
This is a DoS security issue, you can break iptables-restore with it and effectively make later security rules created not working.

Steps to reproduce:
- neutron security-group-rule-create default --direction egress --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-prefix /32
- observe that OVS agent crashes as in https://bugs.launchpad.net/neutron/+bug/1300785
- observe that any new security rules added are not applied to firewall tables.

Comment 4 Fedora Update System 2014-05-28 23:52:37 UTC
openstack-neutron-2013.2.3-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 errata-xmlrpc 2014-07-17 04:28:11 UTC
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0899 https://rhn.redhat.com/errata/RHSA-2014-0899.html

Note You need to log in before you can comment on or make changes to this bug.