OpenStack Neutron L3 Agent Port Creation Vulnerability
CVE-2014-0056

Currently unrated

Key Information:

Vendor: Openstack
Status: Neutron
Vendor: CVE Published:; 8 May 2014

Summary

The l3-agent component in OpenStack Neutron versions prior to 2013.2.3 is susceptible to an improper access control vulnerability. It fails to validate the tenant ID during port creation. This oversight permits remote authenticated users to manipulate ports, allowing them to connect to routers belonging to other tenants by using a device ID in the port creation command. Such behavior can lead to serious network segmentation issues and unauthorized access to tenant resources, significantly compromising the overall security posture of affected environments.

References

http://www.openwall.com/lists/oss-security/2014/03/27/5

mailing-listx_refsource_MLIST

http://rhn.redhat.com/errata/RHSA-2014-0516.html

vendor-advisoryx_refsource_REDHAT

http://www.ubuntu.com/usn/USN-2194-1

vendor-advisoryx_refsource_UBUNTU

Timeline

Vulnerability published
May 8, 2014
Vulnerability Reserved
Dec 3, 2013