CVE-2014-3555
openstack-neutron: Denial of Service in Neutron allowed address pair
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.
OpenStack Neutron anterior a 2013.2.4, 2014.x anterior a 2014.1.2 y Juno anterior a Juno-2 permite a usuarios remotos autenticados causar una denegación de servicio (caída o actualizaciones de normas largas de firewall) mediante la creación de un número grande de parejas de direcciones permitidas.
A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable.
OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-14 CVE Reserved
- 2014-07-23 CVE Published
- 2024-08-06 CVE Updated
- 2025-04-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/oss-sec/2014/q3/200 | Mailing List |
|
| http://secunia.com/advisories/60766 | Third Party Advisory | |
| http://secunia.com/advisories/60804 | Third Party Advisory | |
| http://www.securityfocus.com/bid/68765 | Vdb Entry | |
| https://bugs.launchpad.net/neutron/+bug/1336207 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.openstack.org/pipermail/openstack-announce/2014-July/000255.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2014-1119.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2014-1120.html | 2023-02-13 | |
| https://access.redhat.com/security/cve/CVE-2014-3555 | 2014-09-02 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1118833 | 2014-09-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openstack Search vendor "Openstack" | Neutron Search vendor "Openstack" for product "Neutron" | 2013.2.4 Search vendor "Openstack" for product "Neutron" and version "2013.2.4" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Neutron Search vendor "Openstack" for product "Neutron" | 2014.1 Search vendor "Openstack" for product "Neutron" and version "2014.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Neutron Search vendor "Openstack" for product "Neutron" | 2014.1.1 Search vendor "Openstack" for product "Neutron" and version "2014.1.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Neutron Search vendor "Openstack" for product "Neutron" | juno-1 Search vendor "Openstack" for product "Neutron" and version "juno-1" | - |
Affected
| ||||||