Security Bulletin: PowerVC is impacted by an OpenStack Neutron vulnerability related to security group rules (CVE-2019-10876)

Summary

OpenStack Neutron is vulnerable to a denial of service, caused by a flaw in the neutron-openvswitch-agent. By creating two security groups with separate/overlapping port ranges, a remote authenticated attacker could exploit this vulnerability to prevent Neutron from being able to configure networks on any compute nodes.

Vulnerability Details

CVEID: CVE-2019-10876 **Description:**By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected. **CVSS Base Score:**4.3 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/159259&gt; for more information *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.4.1 | IT30286 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/PowerVC&release=1.4.1.1&platform=All&function=aparId&apars=IT30286

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.4.2 | IT30286 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/PowerVC&release=1.4.2.1&platform=All&function=aparId&apars=IT30286

Workarounds and Mitigations

None