[openstack-announce] [OSSA 2015-001] L3 agent denial of service with radvd 2.0+ (CVE-2014-8153)

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Jan 8 17:53:04 UTC 2015


=========================================================
OSSA-2015-001: L3 agent denial of service with radvd 2.0+
=========================================================

:Date: January 08, 2015
:CVE: CVE-2014-8153


Affects
~~~~~~~
- Neutron: 2014.2 version up to 2014.2.1


Description
~~~~~~~~~~~
Ihar Hrachyshka from Red Hat reported a vulnerability in Neutron. By
creating 8 routers and assigning each of them a non-provider ipv6
subnet, a malicious user may block router update processing for all
tenants, potentially resulting in a Denial of Service. Only Neutron
setups running with radvd 2.0+ are affected.


Patches
~~~~~~~
- https://review.openstack.org/141575 (Juno)
- https://review.openstack.org/138688 (Kilo)


Credits
~~~~~~~
- Ihar Hrachyshka from Red Hat (CVE-2014-8153)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1399172
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8153


Notes
~~~~~
- This fix will be included in a future 2014.2.2 release.
- The OSSA announce format for the 2015 advisories has been changed to
  RST.

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20150108/fda8d474/attachment.pgp>


More information about the OpenStack-announce mailing list