Bug 896780 - (CVE-2014-6414) VUL-0: CVE-2014-6414: openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
VUL-0: CVE-2014-6414: openstack-neutron: Admin-only network attributes may be...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Bernhard Wiedemann
Security Team bot
maint:running:59061:low maint:release...
Depends on:
  Show dependency treegraph
Reported: 2014-09-15 21:19 UTC by Marcus Meissner
Modified: 2019-06-06 14:39 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-15 21:19:02 UTC
public via oss-sec

 vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.

Title: Admin-only network attributes may be reset to defaults by
non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating
a network attribute with a default value a non-privileged user may reset
admin-only network attributes. This may lead to unexpected behavior with
security implications for operators with a custom policy.json, or in some
extreme cases network outages resulting in denial of service. All
deployments using neutron networking are affected by this flaw.


Thanks in advance,

Grant Murphy
OpenStack Vulnerability Management Team
Comment 1 Swamp Workflow Management 2014-09-15 22:00:39 UTC
bugbot adjusting priority
Comment 2 SMASH SMASH 2014-09-16 05:40:11 UTC
Affected packages:

SLE-11-SP3-CL4: openstack-neutron
SLE-11-SP3-UPTU: openstack-neutron
Comment 3 Bernhard Wiedemann 2014-10-14 06:57:52 UTC
Havana and Icehouse patches are in the queue


havana backport is in
Comment 6 Swamp Workflow Management 2015-01-08 18:05:06 UTC
SUSE-SU-2015:0018-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (low)
Bug References: 890711,896780,897815,899132,905104
CVE References: CVE-2014-6414,CVE-2014-7821
Sources used:
SUSE Cloud 4 (src):    openstack-neutron-2014.1.4.dev66.gb8c0c7b-0.7.1, openstack-neutron-doc-2014.1.4.dev66.gb8c0c7b-0.7.1
Comment 7 Johannes Segitz 2017-08-04 08:53:50 UTC
fixed in old versions, new versions already fixed