<div dir="ltr"><div dir="ltr"><div>-----BEGIN PGP SIGNED MESSAGE-----</div><div>Hash: SHA512</div><div><br></div><div>===========================================================================================</div><div>OSSA-2019-002: Overlapping security group rules prevents compute node network configuration</div><div>===========================================================================================</div><div><br></div><div>:Date: April 08, 2019</div><div>:CVE: CVE-2019-10876</div><div><br></div><div><br></div><div>Affects</div><div>~~~~~~~</div><div>- - Neutron: >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3</div><div><br></div><div><br></div><div>Description</div><div>~~~~~~~~~~~</div><div>Diko Parvanov (Canonical) reported a vulnerability in neutron-</div><div>openvswitch-agent security group rules. By creating two security</div><div>groups with separate/overlapping port ranges, an authenticated user</div><div>may prevent neutron from being able to configure networks on any</div><div>compute nodes where those security groups are present. All neutron</div><div>deployments utilizing neutron-openvswitch-agent are affected.</div><div><br></div><div><br></div><div>Patches</div><div>~~~~~~~</div><div>- - <a href="https://review.openstack.org/648102">https://review.openstack.org/648102</a> (Pike)</div><div>- - <a href="https://review.openstack.org/648004">https://review.openstack.org/648004</a> (Queens)</div><div>- - <a href="https://review.openstack.org/648003">https://review.openstack.org/648003</a> (Rocky)</div><div>- - <a href="https://review.openstack.org/648002">https://review.openstack.org/648002</a> (Stein)</div><div>- - <a href="https://review.openstack.org/640252">https://review.openstack.org/640252</a> (Train)</div><div><br></div><div><br></div><div>Credits</div><div>~~~~~~~</div><div>- - Diko Parvanov from Canonical (CVE-2019-10876)</div><div><br></div><div><br></div><div>References</div><div>~~~~~~~~~~</div><div>- - <a href="https://launchpad.net/bugs/1813007">https://launchpad.net/bugs/1813007</a></div><div>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876</a></div><div>-----BEGIN PGP SIGNATURE-----</div><div><br></div><div>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAlysvccACgkQ56j9K3b+</div><div>vREj3BAAvVBLfJT/cOyk2VjXjvlNKBWs1uokNE5PwzT0M2kvEW42zG78JpJj9EyJ</div><div>ONQMCiuclWJ6XcBLBhDG2MHzl31Rqnfhi1UxQoUPwZYtgTcokLa4NaGCQUMrRwpq</div><div>vigC8zWA9SiIQBHp4b/HE1ZA0GCKgK5CS2OuqmQH25/AzIDqwZZ7ljstRMh28VDd</div><div>PnorJwifeKq1uUL1AGRWmDUvfYaqzTbMxNlUcrXt2Iy50VLxdokmD+PtZMLvb7lq</div><div>UcpJ7R/er6HipNDE42hNzQAgEoPBNJ3hwEiLU64ZPCxSCMeKos5d2yAPNwLUYwdm</div><div>lVYJQtW1GkNDLvY37pHOFzFCK2XhjKQB29iZjz5ipC9EKs1HLnxCfJfvIS+bK3Bt</div><div>c3R0frUOOiDPeP+so1edl1f0eZJlhzV3SlFsLfLfFa1BYTxj6uuQdSaPaOTCGaLN</div><div>4TLAtysGl+USvXirOH+F/vuz9P0LOlL4f86/gwNY9Asb27MmKZFtUhQLux/k34Xg</div><div>gwSFtWTKqLJWrZjlGL/9irh6PiS6myrPCxsYh8XXOpVHSw5D353NrZ3hapvUthA6</div><div>BoArm9XxRlwzgu8JwXpEAc9FXRg3jUcwMrSYc5yZF4mw95+sfdHKVhoI6LuxBkYd</div><div>dA0aqbB/QkuFSanDZ+Z634LCkfbk/2Eo3HgjsrPUdvg2z2zLwfk=</div><div>=53iD</div><div>-----END PGP SIGNATURE-----</div></div></div>