OSSA-2014-039: Neutron DoS through invalid DNS configuration¶
November 19, 2014
Neutron: up to 2014.1.3 and 2014.2
Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a vulnerability in Neutron. By configuring a maliciously crafted dns_nameservers an authenticated user may crash Neutron service resulting in a denial of service attack. All Neutron setups are affected.
The former fix did not take into account the usage of hostnames as nameserver and caused a regression for this use-case. This update provides an additional fix for that issue.
https://review.openstack.org/135624 - original (Icehouse)
https://review.openstack.org/139063 - errata (Icehouse)
https://review.openstack.org/135623 - original (Juno)
https://review.openstack.org/139061 - errata (Juno)
https://review.openstack.org/135616 - original (Kilo)
https://review.openstack.org/137560 - errata (Kilo)
Henry Yamauchi from Rackspace (CVE-2014-7821)
Charles Neill from Rackspace (CVE-2014-7821)
Michael Xin from Rackspace (CVE-2014-7821)
These fixes are included in the 2014.2.1 release and will be included in a future 2014.1.4 release.
2014-12-10 - Errata 1
2014-11-19 - Original Version