Bugzilla – Bug 896780
VUL-0: CVE-2014-6414: openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
Last modified: 2019-06-06 14:39:53 UTC
public via oss-sec vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Admin-only network attributes may be reset to defaults by non-privileged users Reporter: Elena Ezhova (Mirantis) Products: Neutron Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 Description: Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw. References: https://launchpad.net/bugs/1357379 Thanks in advance, -- Grant Murphy OpenStack Vulnerability Management Team
bugbot adjusting priority
Affected packages: SLE-11-SP3-CL4: openstack-neutron SLE-11-SP3-UPTU: openstack-neutron
Havana and Icehouse patches are in the queue https://review.openstack.org/#/q/I6537bb1da5ef0d6899bc71e4e949f2c760c103c2,n,z havana backport is in https://github.com/SUSE-Cloud/neutron
SUSE-SU-2015:0018-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (low) Bug References: 890711,896780,897815,899132,905104 CVE References: CVE-2014-6414,CVE-2014-7821 Sources used: SUSE Cloud 4 (src): openstack-neutron-2014.1.4.dev66.gb8c0c7b-0.7.1, openstack-neutron-doc-2014.1.4.dev66.gb8c0c7b-0.7.1
fixed in old versions, new versions already fixed