[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)
From: Grant Murphy <gmurphy () redhat ! com>
Date: 2014-03-27 15:48:56
Message-ID: 1395935336.3723.23.camel () lappy
[Download RAW message or body]
OpenStack Security Advisory: 2014-008
CVE: CVE-2014-0056
Date: March 27, 2014
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: 2012.2 versions up to 2013.2.2
Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails to
perform proper authorization checks when creating ports. By choosing a
device id of a router from a different tenant when creating a port, an
authenticated user can access the network of other tenants. This affects
deployments of Neutron using plugins relying on the l3-agent.
Icehouse (development branch) fix:
https://review.openstack.org/83391
Havana fix:
https://review.openstack.org/83393
Notes:
One should perform and audit of the ports that are already attached to
routers after applying this patch and remove ports that a tenant may
have cross plugged.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0056
https://bugs.launchpad.net/bugs/1243327
--
Grant Murphy
OpenStack Vulnerability Management Team
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic