OSSA-2015-012: Neutron L2 agent DoS through incorrect allowed address pairs

Date:June 23, 2015
CVE:CVE-2015-3221

Affects

  • Neutron: 2014.2 versions through 2014.2.3 and 2015.1.0 version

Description

Darragh O’Reilly from HP reported a vulnerability in Neutron. By adding an address pair which is rejected as invalid by the ipset tool, an authenticated user may crash the Neutron L2 agent resulting in a denial of service attack. Neutron setups using the IPTables firewall driver are affected.

Credits

  • Darragh O’Reilly from HP (CVE-2015-3221)

Notes

  • This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases.
  • Zero prefixed address pairs are no longer accepted by the Juno API, users need to use 0.0.0.0/1 and 128.0.0.1/1 or ::/1 and 8000::/1 instead. The fix_zero_length_ip_prefix.py tool is provided to clean ports previously configured with a zero prefixed address pair