Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 508414 (CVE-2014-0187) - <sys-cluster/neutron--{2013.2.3-r1, 2014.1-r2}: Neutron security groups bypass through invalid CIDR (CVE-2014-0187) (OSSA 2014-014)
Summary: <sys-cluster/neutron--{2013.2.3-r1, 2014.1-r2}: Neutron security groups bypas...
Alias: CVE-2014-0187
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-04-22 15:00 UTC by Agostino Sarubbo
Modified: 2014-10-15 03:06 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-22 15:00:11 UTC
From ${URL} :

OpenStack Security Advisory: 2014-014
CVE: CVE-2014-0187
Date: April 22, 2014
Title: Neutron security groups bypass through invalid CIDR
Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1

Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche
Telekom reported a vulnerability in Neutron security groups. By creating
a security group rule with an invalid CIDR, an authenticated user may
break openvswitch-agent process, preventing further rules from being
applied on the host. Note: removal of the faulty rule is not enough, the
openvswitch-agent must be restarted. All Neutron setups using Open
vSwitch are affected.

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-05-02 02:59:08 UTC
Update on Links to status of Open CVE:
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-05-14 00:44:43 UTC
Maintainers, please check looks like this was merged in on 5/6/2014
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-05-14 05:58:57 UTC
fixed in neutron-2013.2.3-r1 neutron-2014.1-r2, removing myself :D
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-10-11 14:23:16 UTC
CVE-2014-0187 (
  The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4
  and 2014.1 before 2014.1.1 allows remote authenticated users to bypass
  security group restrictions via an invalid CIDR in a security group rule,
  which prevents further rules from being applied.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 03:06:59 UTC
Maintainer(s), Thank you for your work. 
Versions no longer in the tree.

No GLSA needed as there are no stable versions.