Bugzilla – Bug 1108033
VUL-0: CVE-2018-14635: openstack-neutron: denial of service when non-privileged tenants using the Linux bridge ml2 driver
Last modified: 2020-03-24 14:01:22 UTC
rh#1607822 When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3 and 11.0.5 are vulnerable. References: https://bugzilla.redhat.com/show_bug.cgi?id=1607822 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14635 https://git.openstack.org/cgit/openstack/neutron/commit/?id=54aa6e81cb17b33ce4d5d469cc11dec2869c762d https://bugs.launchpad.net/neutron/+bug/1757482
Reassigning to Cloud team.
This was fixed upstream in the following versions: > This issue was fixed in the openstack/neutron 12.0.4 release. > This issue was fixed in the openstack/neutron 11.0.6 release. However we are still tracking this issue for: SUSE:SLE-12-SP2:Update:Products:Cloud7:Update
https://jira.suse.com/browse/SOC-10076 created and added to backlog
Request to OBS:Cloud:OpenStack:Newton:Staging https://build.opensuse.org/request/show/726596
SUSE-SU-2019:2671-1: An update that solves 6 vulnerabilities and has 17 fixes is now available. Category: security (moderate) Bug References: 1019074,1052286,1106515,1108033,1115960,1118159,1118900,1120657,1127558,1128954,1128987,1131053,1131961,1132860,1133719,1133722,1136784,1143475,1145796,1145867,1148383,1150895,1152916 CVE References: CVE-2016-10127,CVE-2018-15727,CVE-2018-19039,CVE-2018-558213,CVE-2019-15043,CVE-2019-5477 Sources used: SUSE OpenStack Cloud 7 (src): crowbar-core-4.0+git.1570463621.40b11cd48-9.54.1, crowbar-openstack-4.0+git.1569429513.e7016b2b6-9.59.1, grafana-4.6.5-1.11.2, novnc-1.0.0-12.1, openstack-keystone-10.0.3~dev9-7.18.2, openstack-keystone-doc-10.0.3~dev9-7.18.2, openstack-neutron-9.4.2~dev21-7.32.1, openstack-neutron-doc-9.4.2~dev21-7.32.1, openstack-neutron-lbaas-9.2.2~dev11-4.18.3, openstack-neutron-lbaas-doc-9.2.2~dev11-4.18.3, openstack-nova-14.0.11~dev13-4.34.3, openstack-nova-doc-14.0.11~dev13-4.34.2, openstack-tempest-12.2.1~a0~dev177-4.6.3, python-pysaml2-4.0.2-3.11.3, python-urllib3-1.16-3.9.2, rubygem-chef-10.32.2-5.12.1, rubygem-easy_diff-1.0.0-3.3.1, sleshammer-0.7.0-0.18.12.3 SUSE Enterprise Storage 4 (src): crowbar-core-4.0+git.1570463621.40b11cd48-9.54.1, rubygem-chef-10.32.2-5.12.1, rubygem-easy_diff-1.0.0-3.3.1, sleshammer-0.7.0-0.18.12.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I think this can be resolved. Can you confirm Alex?
seems done