Network Performance Impact and Data Exposure in OpenStack's Linuxbridge
CVE-2019-15753

9.1CRITICAL

Key Information:

Vendor
Openstack
Status
Os-vif
Vendor
CVE Published:
28 August 2019

Summary

In versions of OpenStack's os-vif prior to 1.15.2 and 1.16.0, a hard-coded MAC aging time of zero prevents normal MAC learning on the linuxbridge backend. As a result, this configuration leads to forced Ethernet flooding, impairing network performance and potentially allowing unauthorized access to packet contents across different tenant instances on the same network. This issue is prevalent in deployments utilizing the linuxbridge feature, affecting the overall security posture and data integrity within multi-tenant environments.

References

https://launchpad.net/bugs/1837252
x_refsource_MISC
https://review.opendev.org/672834
x_refsource_MISC
https://review.opendev.org/678098
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.