OSSA-2019-002: Overlapping security group rules prevents compute node network configuration

OSSA-2019-002: Overlapping security group rules prevents compute node network configuration

Date

April 08, 2019

CVE

CVE-2019-10876

Affects

  • Neutron: >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3

Description

Diko Parvanov (Canonical) reported a vulnerability in neutron- openvswitch-agent security group rules. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent neutron from being able to configure networks on any compute nodes where those security groups are present. All neutron deployments utilizing neutron-openvswitch-agent are affected.

Credits

  • Diko Parvanov from Canonical (CVE-2019-10876)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.