From ${URL} : OpenStack Security Advisory: 2014-008 CVE: CVE-2014-0056 Date: March 27, 2014 Title: Routers can be cross plugged by other tenants Reporter: Aaron Rosen (VMWare) Products: Neutron Affects: 2012.2 versions up to 2013.2.2 Description: Aaron Rosen from VMWare reported a vulnerability where Neutron fails to perform proper authorization checks when creating ports. By choosing a device id of a router from a different tenant when creating a port, an authenticated user can access the network of other tenants. This affects deployments of Neutron using plugins relying on the l3-agent. Icehouse (development branch) fix: https://review.openstack.org/83391 Havana fix: https://review.openstack.org/83393 Notes: One should perform and audit of the ports that are already attached to routers after applying this patch and remove ports that a tenant may have cross plugged. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0056 https://bugs.launchpad.net/bugs/1243327 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
fixed in neutron-2013.2.2-r1 removing myself from cc
CVE-2014-0056 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0056): The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.