Bug 949070 (CVE-2015-7713)

Summary: VUL-0: CVE-2015-7713: openstack-nova: network security group changes are not applied to running instances
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cloud-bugs, smash_bz, vuntz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/157359/
Whiteboard: CVSSv2:RedHat:CVE-2015-7713:5.5:(AV:N/AC:L/Au:S/C:P/I:P/A:N) CVSSv2:NVD:CVE-2015-7713:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-10-06 15:57:30 UTC
Nova network security group changes are not applied to running instances
Reporter: Sreekumar S and Suntao
Products: Nova
Affects: <=2014.2.3, >=2015.1.0, <=2015.1.1

Description:
Sreekumar S and Suntao independently reported a vulnerability in Nova
network. Security group changes silently fail to be applied to already
running instances, potentially resulting in instances not being
protected by the security group. All Nova network setups are affected.

References:
https://launchpad.net/bugs/1491307
https://launchpad.net/bugs/1484738
http://seclists.org/oss-sec/2015/q4/41
https://bugzilla.redhat.com/show_bug.cgi?id=1269119
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7713
http://seclists.org/oss-sec/2015/q4/41
Comment 1 Swamp Workflow Management 2015-10-06 22:00:25 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-10-12 13:51:24 UTC
Patches
~~~~~~~
- https://review.openstack.org/222026 (Juno)
- https://review.openstack.org/222023 (Kilo)
- https://review.openstack.org/222022 (Liberty)
Comment 3 Vincent Untz 2015-10-13 12:08:40 UTC
Submitted in mr#74069.
Comment 4 Swamp Workflow Management 2015-12-07 18:11:49 UTC
SUSE-SU-2015:2219-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 927625,935017,942457,944178,945923,949070,949529
CVE References: CVE-2015-3241,CVE-2015-3280,CVE-2015-7713
Sources used:
SUSE OpenStack Cloud 5 (src):    openstack-nova-2014.2.4~a0~dev80-20.1, openstack-nova-doc-2014.2.4~a0~dev80-20.1
Comment 5 Swamp Workflow Management 2015-12-07 18:14:04 UTC
SUSE-SU-2015:2220-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 927625,935017,935263,939691,942457,943648,944178,945923,948704,949070,949529
CVE References: CVE-2015-3221,CVE-2015-3241,CVE-2015-3280,CVE-2015-5240,CVE-2015-7713
Sources used:
SUSE OpenStack Cloud Compute 5 (src):    openstack-neutron-2014.2.4~a0~dev103-10.3, openstack-nova-2014.2.4~a0~dev80-14.1, python-python-memcached-1.54-2.1
Comment 6 Marcus Meissner 2016-02-10 07:37:37 UTC
released