Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505980 (CVE-2014-0056) - <sys-cluster/neutron-2013.2.2-r1 : Routers can be cross plugged by other tenants (CVE-2014-0056) (OSSA 2014-008)
Summary: <sys-cluster/neutron-2013.2.2-r1 : Routers can be cross plugged by other tena...
Status: RESOLVED FIXED
Alias: CVE-2014-0056
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-27 16:31 UTC by Agostino Sarubbo
Modified: 2014-10-11 14:04 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-27 16:31:38 UTC
From ${URL} :

OpenStack Security Advisory: 2014-008
CVE: CVE-2014-0056
Date: March 27, 2014
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: 2012.2 versions up to 2013.2.2

Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails to
perform proper authorization checks when creating ports. By choosing a
device id of a router from a different tenant when creating a port, an
authenticated user can access the network of other tenants. This affects
deployments of Neutron using plugins relying on the l3-agent.

Icehouse (development branch) fix: 
https://review.openstack.org/83391


Havana fix: 
https://review.openstack.org/83393


Notes: 
One should perform and audit of the ports that are already attached to
routers after applying this patch and remove ports that a tenant may
have cross plugged.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0056
https://bugs.launchpad.net/bugs/1243327


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-03-27 22:34:46 UTC
fixed in neutron-2013.2.2-r1

removing myself from cc
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-10-11 14:04:24 UTC
CVE-2014-0056 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0056):
  The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the
  tenant id when creating ports, which allows remote authenticated users to
  plug ports into the routers of arbitrary tenants via the device id in a
  port-create command.