OSSA-2014-031: Admin-only network attributes may be reset to defaults by non-privileged users

OSSA-2014-031: Admin-only network attributes may be reset to defaults by non-privileged users¶

Date:: September 29, 2014
CVE:: CVE-2014-6414

Affects¶

Neutron: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Description¶

Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw.

Patches¶

https://review.openstack.org/123849 (Icehouse)
https://review.openstack.org/114531 (Juno)

Credits¶

Elena Ezhova from Mirantis (CVE-2014-6414)

References¶

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.