A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.
Title: Admin-only network attributes may be reset to defaults by
Reporter: Elena Ezhova (Mirantis)
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2
Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating
a network attribute with a default value a non-privileged user may reset
admin-only network attributes. This may lead to unexpected behavior with
security implications for operators with a custom policy.json, or in some
extreme cases network outages resulting in denial of service. All
deployments using neutron networking are affected by this flaw.
Thanks in advance,
OpenStack Vulnerability Management Team
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote
authenticated users to set admin network attributes to default values via
vulnerable versions removed from tree, also, the CVE description is wrong.
OpenStack Neutron before 2014.2.4
OpenStack Neutron before 2013.2.4
Per previous comments no vulnerable versions in tree.