Neutron L2 agent DoS through incorrect allowed address pairs (CVE-2015-3221)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
Critical
|
Alexander Ignatov | ||
6.0.x |
Fix Released
|
Critical
|
MOS Maintenance | ||
6.1.x |
Fix Released
|
Critical
|
Alexander Nevenchannyy | ||
7.0.x |
Fix Released
|
Critical
|
Alexander Ignatov |
Bug Description
This is [pre-OSSA] Vulnerability in OpenStack Neutron (CVE-2015-3221)
Title: Neutron L2 agent DoS through incorrect allowed address pairs
Reporter: Darragh O'Reilly (HP)
Products: Neutron
Affects: 2014.2 versions through 2014.2.3 and 2015.1.0 version
Description:
Darragh O'Reilly from HP reported a vulnerability in Neutron. By adding
an address pair which is rejected as invalid by the ipset tool, an
authenticated user may crash the Neutron L2 agent resulting in a denial
of service attack. Neutron setups using the IPTables firewall driver are
affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/juno, stable/kilo and master on the public
disclosure date.
CVE: CVE-2015-3221
Proposed public disclosure date/time:
2015-06-23, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.
CVE References
Changed in mos: | |
milestone: | none → 6.1 |
importance: | High → Critical |
tags: | added: 6.1-mu-1 |
information type: | Private Security → Public Security |
tags: | added: feature-security |
Change request for 6.0-updates branch https:/ /review. fuel-infra. org/#/c/ 8287/