CVE-2019-9735 – openstack-neutron: incorrect validation of port settings in iptables security group driver
https://notcve.org/view.php?id=CVE-2019-9735
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.) Se ha detectado un fallo en el módulo de firewall iptables en OpenStack Neutron en versiones anteriores a la 10.0.8, en las 11.x anteriores a la 11.0.7, en las 12.x anteriores a la 12.0.6 y en las 13.x anteriores a la 13.0.3. Al establecer un puerto de destino en una regla de grupo de seguridad, junto con un protocolo que no soporta dicha opción (p.ej., VRRP), un usuario autenticado podría bloquear la mayor aplicación de esas reglas de grupo de seguridad para instancias desde cualquier project/tenant en los hosts de computación a los cuales se aplican. • http://www.openwall.com/lists/oss-security/2019/03/18/2 http://www.securityfocus.com/bid/107390 https://access.redhat.com/errata/RHSA-2019:0879 https://access.redhat.com/errata/RHSA-2019:0916 https://access.redhat.com/errata/RHSA-2019:0935 https://launchpad.net/bugs/1818385 https://seclists.org/bugtraq/2019/Mar/24 https://security.openstack.org/ossa/OSSA-2019-001.html https://usn.ubuntu.com/4036-1 https://www.debian.org/security/2019/dsa-4409 https://a • CWE-20: Improper Input Validation CWE-755: Improper Handling of Exceptional Conditions •
CVE-2018-14636
https://notcve.org/view.php?id=CVE-2018-14636
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable. • https://bugs.launchpad.net/neutron/+bug/1734320 https://bugs.launchpad.net/neutron/+bug/1767422 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14636 • CWE-300: Channel Accessible by Non-Endpoint •
CVE-2017-7543 – openstack-neutron: iptables not active after update
https://notcve.org/view.php?id=CVE-2017-7543
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources. Se ha descubierto una condición de carrera en openstack-neutron en versiones anteriores a la 7.2.0-12.1, 8.x anteriores a la 8.3.0-11.1, 9.x anteriores a la 9.3.1-2.1 y 10.x anteriores a la 10.0.2-1.1, cuando, siguiendo a una actualización overcloud menor, los grupos de seguridad neutron estaban deshabilitados. De manera específica, lo siguiente se ha reiniciado a 0: net.bridge.bridge-nf-call-ip6tables y net.bridge.bridge-nf-call-iptables. • http://www.securityfocus.com/bid/100237 https://access.redhat.com/errata/RHSA-2017:2447 https://access.redhat.com/errata/RHSA-2017:2448 https://access.redhat.com/errata/RHSA-2017:2449 https://access.redhat.com/errata/RHSA-2017:2450 https://access.redhat.com/errata/RHSA-2017:2451 https://access.redhat.com/errata/RHSA-2017:2452 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7543 https://access.redhat.com/security/cve/CVE-2017-7543 https://bugzilla.redhat.com/sh • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2015-8914 – openstack-neutron: ICMPv6 source address spoofing vulnerability
https://notcve.org/view.php?id=CVE-2015-8914
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended ICMPv6-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a link-local source address. El firewall IPTables en OpenStack Neutron en versiones anteriores a 7.0.4 y 8.0.0 hasta la versión 8.1.0 permite a atacantes remotos eludir un mecanismo destinado a la protección ICMPv6-spoofing y consecuentemente causar una denegación de servicio o interceptar tráfico de la red a través de de una dirección fuente local de enlace. Neutron functionality includes internal firewall management between networks. Due to the relaxed nature of particular rules, it is possible for machines on the same layer 2 networks to forge non-IP traffic, such as ARP and DHCP requests. • http://www.openwall.com/lists/oss-security/2016/06/10/5 http://www.openwall.com/lists/oss-security/2016/06/10/6 https://access.redhat.com/errata/RHSA-2016:1473 https://access.redhat.com/errata/RHSA-2016:1474 https://bugs.launchpad.net/neutron/+bug/1502933 https://review.openstack.org/#/c/300233 https://review.openstack.org/#/c/310648 https://review.openstack.org/#/c/310652 https://security.openstack.org/ossa/OSSA-2016-009.html https://access. • CWE-254: 7PK - Security Features •
CVE-2016-5363 – openstack-neutron: MAC source address spoofing vulnerability
https://notcve.org/view.php?id=CVE-2016-5363
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended MAC-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via (1) a crafted DHCP discovery message or (2) crafted non-IP traffic. El firewall IPTables en OpenStack Neutron en versiones anteriores a 7.0.4 y 8.0.0 hasta la versión 8.1.0 permite a atacantes remotos eludir un mecanismo de protección destinado a suplantar una MAC y consecuentemente provocar una denegación de servicio o interceptar tráfico de red a través de (1) la detección de un mensaje DHCP manipulado o (2) tráfico no IP manipulado. Neutron functionality includes internal firewall management between networks. Due to the relaxed nature of particular rules, it is possible for machines on the same layer 2 networks to forge non-IP traffic, such as ARP and DHCP requests. • http://www.openwall.com/lists/oss-security/2016/06/10/5 http://www.openwall.com/lists/oss-security/2016/06/10/6 https://access.redhat.com/errata/RHSA-2016:1473 https://access.redhat.com/errata/RHSA-2016:1474 https://bugs.launchpad.net/neutron/+bug/1558658 https://review.openstack.org/#/c/299021 https://review.openstack.org/#/c/299023 https://review.openstack.org/#/c/299025 https://security.openstack.org/ossa/OSSA-2016-009.html https://access. • CWE-254: 7PK - Security Features •