905104 – (CVE-2014-7821) VUL-0: CVE-2014-7821: openstack-neutron: DoS through invalid DNS configuration

Bug 905104 (CVE-2014-7821) - VUL-0: CVE-2014-7821: openstack-neutron: DoS through invalid DNS configuration

Summary: VUL-0: CVE-2014-7821: openstack-neutron: DoS through invalid DNS configuration

Status:	RESOLVED FIXED

Alias:	CVE-2014-7821

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-11-27
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp3-cl4:59845
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-11-12 14:03 UTC by Johannes Segitz
Modified:	2019-06-06 14:43 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-11-12 14:03:44 UTC

Date: Wed, 12 Nov 2014 14:42:59 +0100
From: Thierry Carrez <thierry@openstack.org>

Title: Neutron DoS through invalid DNS configuration
Reporter: Henry Yamauchi, Charles Neill and Michael Xin (Rackspace)
Products: Neutron
Versions: up to 2014.2

Description:
Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a
vulnerability in Neutron. By configuring a maliciously crafted
dns_nameservers an authenticated user may crash Neutron service
resulting in a denial of service attack. All Neutron setups are
ubuntuaffected.

Proposed public disclosure date/time:
2014-11-19, 1500UTC

Comment 1 Johannes Segitz 2014-11-12 14:04:12 UTC

Created attachment 613372 [details]
Kilo

Comment 2 Johannes Segitz 2014-11-12 14:04:29 UTC

Created attachment 613373 [details]
icehouse

Comment 3 Johannes Segitz 2014-11-12 14:04:46 UTC

Created attachment 613374 [details]
Juno

Comment 4 Swamp Workflow Management 2014-11-12 23:00:39 UTC

bugbot adjusting priority

Comment 5 Swamp Workflow Management 2014-11-13 13:48:42 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59646

Comment 6 Johannes Segitz 2014-11-20 12:00:10 UTC

is public

Comment 7 Bernhard Wiedemann 2014-11-20 14:56:20 UTC

https://review.openstack.org/#/q/I886c6d883a9cb0acd9908495eec50bf0411d8ba8,n,z
https://bugs.launchpad.net/neutron/+bug/1378450

Comment 10 Bernhard Wiedemann 2014-11-27 15:57:55 UTC

submitted
https://build.suse.de/request/show/46739 Cloud4 openstack-neutron

and Cloud3 to follow in a bit

Comment 13 Bernhard Wiedemann 2014-12-08 08:46:10 UTC

neutron updates are submitted to SUSE Cloud 3 and 4 repos

Comment 14 Swamp Workflow Management 2015-01-08 18:05:37 UTC

SUSE-SU-2015:0018-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (low)
Bug References: 890711,896780,897815,899132,905104
CVE References: CVE-2014-6414,CVE-2014-7821
Sources used:
SUSE Cloud 4 (src):    openstack-neutron-2014.1.4.dev66.gb8c0c7b-0.7.1, openstack-neutron-doc-2014.1.4.dev66.gb8c0c7b-0.7.1

Comment 15 Marcus Meissner 2015-03-05 08:06:58 UTC

released for cl4