Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522886 (CVE-2014-6414)

Summary: <sys-cluster/neutron-2015.2.9999: Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-15 16:12:36 UTC
From ${URL}:

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.

Title: Admin-only network attributes may be reset to defaults by
non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating
a network attribute with a default value a non-privileged user may reset
admin-only network attributes. This may lead to unexpected behavior with
security implications for operators with a custom policy.json, or in some
extreme cases network outages resulting in denial of service. All
deployments using neutron networking are affected by this flaw.


Thanks in advance,

Grant Murphy
OpenStack Vulnerability Management Team
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 00:40:30 UTC
CVE-2014-6414 (
  OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote
  authenticated users to set admin network attributes to default values via
  unspecified vectors.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-13 04:04:17 UTC
vulnerable versions removed from tree, also, the CVE description is wrong.

OpenStack Neutron before 2014.2.4
should be
OpenStack Neutron before 2013.2.4
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 08:15:58 UTC
Per previous comments no vulnerable versions in tree.