|
Message-ID: <20140929141221.GC17554@lappy.redhat.com>
Date: Tue, 30 Sep 2014 00:12:23 +1000
From: Grant Murphy <gmurphy@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-031] Admin-only network attributes may be reset to
defaults by non-privileged users (CVE-2014-6414)
OpenStack Security Advisory: OSSA-2014-031
CVE: CVE-2014-6414
Date: September 29, 2014
Title: Admin-only network attributes may be reset to defaults by non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2
Description:
Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network
attribute with a default value a non-privileged user may reset admin-only network
attributes. This may lead to unexpected behavior with security implications for
operators with a custom policy.json, or in some extreme cases network outages
resulting in denial of service. All deployments using neutron networking are
affected by this flaw.
Juno (development branch) fix:
https://review.openstack.org/114531
Icehouse fix:
https://review.openstack.org/123849
Notes:
This fix will be included in the Juno release 2014.2.0 and in
future 2014.1.3 release.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6414
https://launchpad.net/bugs/1357379
--
Grant Murphy
OpenStack Vulnerability Management Team
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.