OpenStack Security Advisory: 2014-039 CVE: CVE-2014-7821 Date: November 19, 2014 Title: Neutron DoS through invalid DNS configuration Reporter: Henry Yamauchi, Charles Neill and Michael Xin (Rackspace) Products: Neutron Versions: up to 2014.1.3 and 2014.2 Description: Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a vulnerability in Neutron. By configuring a maliciously crafted dns_nameservers an authenticated user may crash Neutron service resulting in a denial of service attack. All Neutron setups are affected. Kilo (development branch) fix: https://review.openstack.org/135616 Juno fix: https://review.openstack.org/135623 Icehouse fix: https://review.openstack.org/135624 Notes: This fix will be included in future 2014.1.4 and 2014.2.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7821 https://launchpad.net/bugs/1378450 -- Tristan Cacqueray OpenStack Vulnerability Management Team