Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 508414 (CVE-2014-0187)

Summary: <sys-cluster/neutron--{2013.2.3-r1, 2014.1-r2}: Neutron security groups bypass through invalid CIDR (CVE-2014-0187) (OSSA 2014-014)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-22 15:00:11 UTC
From ${URL} :

OpenStack Security Advisory: 2014-014
CVE: CVE-2014-0187
Date: April 22, 2014
Title: Neutron security groups bypass through invalid CIDR
Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1

Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche
Telekom reported a vulnerability in Neutron security groups. By creating
a security group rule with an invalid CIDR, an authenticated user may
break openvswitch-agent process, preventing further rules from being
applied on the host. Note: removal of the faulty rule is not enough, the
openvswitch-agent must be restarted. All Neutron setups using Open
vSwitch are affected.

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-05-02 02:59:08 UTC
Update on Links to status of Open CVE:
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-05-14 00:44:43 UTC
Maintainers, please check looks like this was merged in on 5/6/2014
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-05-14 05:58:57 UTC
fixed in neutron-2013.2.3-r1 neutron-2014.1-r2, removing myself :D
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-10-11 14:23:16 UTC
CVE-2014-0187 (
  The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4
  and 2014.1 before 2014.1.1 allows remote authenticated users to bypass
  security group restrictions via an invalid CIDR in a security group rule,
  which prevents further rules from being applied.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 03:06:59 UTC
Maintainer(s), Thank you for your work. 
Versions no longer in the tree.

No GLSA needed as there are no stable versions.