GitHub Advisory DatabaseGHSA-MCPW-CP35-P3H8OpenStack os-vif Ageing time of 0 disables linuxbridge MAC learning
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
7.1 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
67.9%
In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
Affected configurations
References
www.openwall.com/lists/oss-security/2019/08/29/2
github.com/advisories/GHSA-mcpw-cp35-p3h8
github.com/openstack/os-vif/commit/655c83d706f5de8a8cf23430782e065219297aef
github.com/openstack/os-vif/commit/ec9d5430300c908ea9a1c64151eee7af522a44e7
launchpad.net/bugs/1837252
nvd.nist.gov/vuln/detail/CVE-2019-15753
review.opendev.org/672834
review.opendev.org/678098
security.openstack.org/ossa/OSSA-2019-004.html
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
7.1 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
67.9%