========================================================= OSSA-2015-001: L3 agent denial of service with radvd 2.0+ ========================================================= :Date: January 08, 2015 :CVE: CVE-2014-8153 Affects ~~~~~~~ - Neutron: 2014.2 version up to 2014.2.1 Description ~~~~~~~~~~~ Ihar Hrachyshka from Red Hat reported a vulnerability in Neutron. By creating 8 routers and assigning each of them a non-provider ipv6 subnet, a malicious user may block router update processing for all tenants, potentially resulting in a Denial of Service. Only Neutron setups running with radvd 2.0+ are affected. Patches ~~~~~~~ - https://review.openstack.org/141575 (Juno) - https://review.openstack.org/138688 (Kilo) Credits ~~~~~~~ - Ihar Hrachyshka from Red Hat (CVE-2014-8153) References ~~~~~~~~~~ - https://launchpad.net/bugs/1399172 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8153 Notes ~~~~~ - This fix will be included in a future 2014.2.2 release. - The OSSA announce format for the 2015 advisories has been changed to RST. -- Tristan Cacqueray OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20150108/fda8d474/attachment.pgp>