OpenStack Security Advisory: OSSA-2014-031 CVE: CVE-2014-6414 Date: September 29, 2014 Title: Admin-only network attributes may be reset to defaults by non-privileged users Reporter: Elena Ezhova (Mirantis) Products: Neutron Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 Description: Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw. Juno (development branch) fix: https://review.openstack.org/114531 Icehouse fix: https://review.openstack.org/123849 Notes: This fix will be included in the Juno release 2014.2.0 and in future 2014.1.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6414 https://launchpad.net/bugs/1357379 -- Grant Murphy OpenStack Vulnerability Management Team