Security Bulletin: PowerVC is impacted by an OpenStack Neutron denial of service vulnerability (CVE-2018-14635)

Summary

Openstack Neutron is vulnerable to a denial of service, caused by improper validation of user-supplied input. By using specially-crafted content, a remote authenticated attacker could exploit this vulnerability to cause the application to crash.

Vulnerability Details

CVEID: CVE-2018-14635 Description: When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool.

CVSS Base Score: 6.5 **CVSS Temporal Score:**See https://exchange.xforce.ibmcloud.com/vulnerabilities/150091 for the current score. *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.3.3 | IT27706 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/PowerVC&release=1.3.3.1&platform=All&function=textSearch&text=APAR+IT27706_IT27707

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.4.0 | IT27706 |

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/PowerVC&release=1.4.0.1&platform=All&function=textSearch&text=APAR+IT27706_IT27707

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.4.1 | NA | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/PowerVC&release=1.4.1.0&platform=All&function=textSearch&text=PowerVC+1.4.1.1

Workarounds and Mitigations

None