Race Condition Vulnerability in OpenStack Neutron Affecting Security Features
CVE-2015-5240

Currently unrated

Key Information:

Vendor: Openstack
Status: Neutron
Vendor: CVE Published:; 27 October 2015

Summary

A race condition exists in OpenStack Neutron that allows remote authenticated users to bypass IP anti-spoofing mechanisms. This issue occurs when the ML2 plugin or the security groups AMQP API is utilized, enabling attackers to exploit the ability to change the device owner of a port to initiate with 'network:'. By doing so, they can circumvent security group rules before they are fully applied, potentially leading to unauthorized access or network configuration changes.

References

http://rhn.redhat.com/errata/RHSA-2015-1909.html

vendor-advisoryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=1258458

x_refsource_CONFIRM

https://security.openstack.org/ossa/OSSA-2015-018.html

x_refsource_CONFIRM

Timeline

Vulnerability published
Oct 27, 2015
Vulnerability Reserved
Jul 1, 2015