913369 – (CVE-2014-8153) VUL-1: CVE-2014-8153: openstack-neutron: L3 agent denial of service with radvd 2.0+

Bug 913369 (CVE-2014-8153) - VUL-1: CVE-2014-8153: openstack-neutron: L3 agent denial of service with radvd 2.0+

Summary: VUL-1: CVE-2014-8153: openstack-neutron: L3 agent denial of service with radv...

Status:	RESOLVED FIXED

Alias:	CVE-2014-8153

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Bernhard Wiedemann
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/112130/
Whiteboard:	CVSSv2:NVD:CVE-2014-8153:4.0:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-01-16 08:23 UTC by Victor Pereira
Modified:	2020-04-01 22:11 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-01-16 08:23:50 UTC

rh#1180469

The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd
2.0+, allows remote authenticated users to cause a denial of service (blocked
router update processing) by creating eight routers and assigning an ipv6
non-provider subnet to each.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1180469
https://bugzilla.redhat.com/show_bug.cgi?id=1169408
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8153
http://seclists.org/oss-sec/2015/q1/94
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8153.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8153
https://bugs.launchpad.net/neutron/+bug/1399172
https://bugs.launchpad.net/neutron/+bug/1398779
http://www.securityfocus.com/bid/71961
http://lists.openstack.org/pipermail/openstack-announce/2015-January/000320.html

Comment 1 Swamp Workflow Management 2015-01-16 23:00:14 UTC

bugbot adjusting priority

Comment 2 Vincent Untz 2015-01-19 10:36:03 UTC

My understanding is that this would only impact Cloud 5.

Comment 3 Bernhard Wiedemann 2015-01-19 13:06:32 UTC

https://review.openstack.org/#/q/I131db0639bc46d332ed48faa2bbe68a214264062,n,z

added CVE refs to Juno+Master

Comment 5 Johannes Segitz 2015-04-10 07:51:13 UTC

fixed in Cloud 5