When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3 and 11.0.5 are vulnerable.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2018:2710 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:2715 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:2721 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:3792 | Third Party Advisory |
https://bugs.launchpad.net/neutron/+bug/1757482 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14635 | Issue Tracking Patch Third Party Advisory |
https://git.openstack.org/cgit/openstack/neutron/commit/?id=54aa6e81cb17b33ce4d5d469cc11dec2869c762d | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
No history.
Information
Published : 2018-09-10 19:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-14635
Mitre link : CVE-2018-14635
CVE.ORG link : CVE-2018-14635
JSON object : View
Products Affected
redhat
- openstack
openstack
- neutron
CWE
CWE-20
Improper Input Validation