CVE-2014-0056 – openstack-neutron: insufficient authorization checks when creating ports
https://notcve.org/view.php?id=CVE-2014-0056
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command. El agente l3 en OpenStack Neutron 2012.2 anterior a 2013.2.3 no comprueba el id inquilino cuando crea puertos, lo que permite a usuarios remotos autenticados enchufar puertos a los routers de inquilinos arbitrarios a través del id dispositivo en un comando port-create. • http://rhn.redhat.com/errata/RHSA-2014-0516.html http://www.openwall.com/lists/oss-security/2014/03/27/5 http://www.ubuntu.com/usn/USN-2194-1 https://bugs.launchpad.net/neutron/+bug/1243327 https://access.redhat.com/security/cve/CVE-2014-0056 https://bugzilla.redhat.com/show_bug.cgi?id=1063141 • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVE-2014-0187 – openstack-neutron: security groups bypass through invalid CIDR
https://notcve.org/view.php?id=CVE-2014-0187
The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authenticated users to bypass security group restrictions via an invalid CIDR in a security group rule, which prevents further rules from being applied. El proceso openvswitch-agent en OpenStack Neutron 2013.1 anterior a 2013.2.4 y 2014.1 anterior a 2014.1.1 permite a usuarios remotos autenticados evadir restricciones de seguridad de grupo a través de un CIDR invalido en una regla de seguridad de grupo, lo que previene que se aplican más reglas. • http://lists.opensuse.org/opensuse-updates/2014-08/msg00035.html http://secunia.com/advisories/59533 http://www.openwall.com/lists/oss-security/2014/04/22/8 http://www.ubuntu.com/usn/USN-2255-1 https://bugs.launchpad.net/neutron/+bug/1300785 https://access.redhat.com/security/cve/CVE-2014-0187 https://bugzilla.redhat.com/show_bug.cgi?id=1090132 • CWE-264: Permissions, Privileges, and Access Controls •