[openstack-announce] [OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)

Grant Murphy gmurphy at redhat.com
Mon Sep 29 14:10:58 UTC 2014


OpenStack Security Advisory: OSSA-2014-031
CVE: CVE-2014-6414
Date: September 29, 2014

Title: Admin-only network attributes may be reset to defaults by non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Description:
Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network
attribute with a default value a non-privileged user may reset admin-only network
attributes. This may lead to unexpected behavior with security implications for
operators with a custom policy.json, or in some extreme cases network outages
resulting in denial of service. All deployments using neutron networking are
affected by this flaw.

Juno (development branch) fix:
https://review.openstack.org/114531

Icehouse fix:
https://review.openstack.org/123849

Notes:
This fix will be included in the Juno release 2014.2.0 and in
future 2014.1.3 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6414
https://launchpad.net/bugs/1357379

--
Grant Murphy
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140930/56bc682c/attachment.pgp>


More information about the OpenStack-announce mailing list