Network Performance Impact and Data Exposure in OpenStack's Linuxbridge
CVE-2019-15753
9.1CRITICAL
Summary
In versions of OpenStack's os-vif prior to 1.15.2 and 1.16.0, a hard-coded MAC aging time of zero prevents normal MAC learning on the linuxbridge backend. As a result, this configuration leads to forced Ethernet flooding, impairing network performance and potentially allowing unauthorized access to packet contents across different tenant instances on the same network. This issue is prevalent in deployments utilizing the linuxbridge feature, affecting the overall security posture and data integrity within multi-tenant environments.
References
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved