-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

=========================================================================================== OSSA-2019-002: Overlapping security group rules prevents compute node network configuration ===========================================================================================

:Date: April 08, 2019 :CVE: CVE-2019-10876

Affects ~~~~~~~ - - Neutron: >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3

Description ~~~~~~~~~~~ Diko Parvanov (Canonical) reported a vulnerability in neutron- openvswitch-agent security group rules. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent neutron from being able to configure networks on any compute nodes where those security groups are present. All neutron deployments utilizing neutron-openvswitch-agent are affected.

Patches ~~~~~~~ - - https://review.openstack.org/648102 (Pike) - - https://review.openstack.org/648004 (Queens) - - https://review.openstack.org/648003 (Rocky) - - https://review.openstack.org/648002 (Stein) - - https://review.openstack.org/640252 (Train)

Credits ~~~~~~~ - - Diko Parvanov from Canonical (CVE-2019-10876)

References ~~~~~~~~~~ - - https://launchpad.net/bugs/1813007 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876