OpenStack Security Advisory: 2014-039 (ERRATA 1) CVE: CVE-2014-7821 Date: December 10, 2014 Title: Neutron DoS through invalid DNS configuration Reporter: Henry Yamauchi, Charles Neill and Michael Xin (Rackspace) Products: Neutron Versions: up to 2014.1.3 and 2014.2 Description: Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a vulnerability in Neutron. By configuring a maliciously crafted dns_nameservers an authenticated user may crash Neutron service resulting in a denial of service attack. All Neutron setups are affected. Errata: The former fix did not take into account the usage of hostnames as nameserver and caused a regression for this use-case. This update provides an additional fix for that issue. Kilo (development branch) fixes: https://review.openstack.org/135616 (original) https://review.openstack.org/137560 (errata) Juno fixes: https://review.openstack.org/135623 (original) https://review.openstack.org/139061 (errata) Icehouse fixes: https://review.openstack.org/135624 (original) https://review.openstack.org/139063 (errata) Notes: These fixes are included in the 2014.2.1 release and will be included in a future 2014.1.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7821 https://launchpad.net/bugs/1378450 OSSA History: 2014-12-10 - Errata 1 2014-11-19 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team