OSSA-2014-039: Neutron DoS through invalid DNS configuration

Date:

November 19, 2014

CVE:

CVE-2014-7821

Affects

  • Neutron: up to 2014.1.3 and 2014.2

Description

Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a vulnerability in Neutron. By configuring a maliciously crafted dns_nameservers an authenticated user may crash Neutron service resulting in a denial of service attack. All Neutron setups are affected.

Errata

The former fix did not take into account the usage of hostnames as nameserver and caused a regression for this use-case. This update provides an additional fix for that issue.

Patches

Credits

  • Henry Yamauchi from Rackspace (CVE-2014-7821)

  • Charles Neill from Rackspace (CVE-2014-7821)

  • Michael Xin from Rackspace (CVE-2014-7821)

References

Notes

  • These fixes are included in the 2014.2.1 release and will be included in a future 2014.1.4 release.

OSSA History

  • 2014-12-10 - Errata 1

  • 2014-11-19 - Original Version