[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [OSSA 2015-012] Neutron L2 agent DoS through incorrect allowed address pairs (CVE-201
From: Tristan Cacqueray <tdecacqu () redhat ! com>
Date: 2015-06-23 17:08:54
Message-ID: 558992A6.9050708 () redhat ! com
[Download RAW message or body]
===========================================================================
OSSA-2015-012: Neutron L2 agent DoS through incorrect allowed address pairs
===========================================================================
:Date: June 23, 2015
:CVE: CVE-2015-3221
Affects
~~~~~~~
- Neutron: 2014.2 versions through 2014.2.3 and 2015.1.0 version
Description
~~~~~~~~~~~
Darragh O'Reilly from HP reported a vulnerability in Neutron. By
adding an address pair which is rejected as invalid by the ipset tool,
an authenticated user may crash the Neutron L2 agent resulting in a
denial of service attack. Neutron setups using the IPTables firewall
driver are affected.
Patches
~~~~~~~
- https://review.openstack.org/194696 (Juno)
- https://review.openstack.org/194697 (Kilo)
- https://review.openstack.org/194695 (Liberty)
Credits
~~~~~~~
- Darragh O'Reilly from HP (CVE-2015-3221)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1461054
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3221
Notes
~~~~~
- This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo)
releases.
- Zero prefixed address pairs are no longer accepted by the Juno API, users
need to use 0.0.0.0/1 and 128.0.0.1/1 or ::/1 and 8000::/1 instead. The
fix_zero_length_ip_prefix.py tool is provided to clean ports previously
configured with a zero prefixed address pair
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic