2.1 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N
OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, ‘neutron’ replaces ‘quantum’ as the core component of OpenStack Networking. A flaw was found in the way OpenStack Networking performed authorization checks on created ports. An authenticated user could potentially use this flaw to create ports on a router belonging to a different tenant, allowing unauthorized access to the network of other tenants. Note that only OpenStack Networking setups using plug-ins that rely on the l3-agent were affected. (CVE-2014-0056) It was discovered that the default sudo configuration provided in OpenStack Networking, which is specific to the openstack-neutron package shipped by Red Hat, did not correctly specify a configuration file for rootwrap, potentially allowing an unauthenticated user to escalate their privileges. (CVE-2013-6433) Red Hat would like to thank the OpenStack project for reporting CVE-2014-0056. Upstream acknowledges Aaron Rosen from VMware as the original reporter of CVE-2014-0056. The CVE-2013-6433 issue was discovered by Kashyap Chamarthy of Red Hat. This update also fixes several bugs and adds enhancements. Documentation for these changes is available in the Technical Notes document linked to in the References section. All openstack-neutron users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.
rhn.redhat.com/errata/RHSA-2014-0516.html
www.openwall.com/lists/oss-security/2014/03/27/5
www.ubuntu.com/usn/USN-2194-1
access.redhat.com/errata/RHSA-2014:0516
access.redhat.com/security/cve/CVE-2014-0056
access.redhat.com/security/updates/classification/#moderate
access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Technical_Notes/index.html
bugs.launchpad.net/neutron/+bug/1243327
bugzilla.redhat.com/show_bug.cgi?id=1036523
bugzilla.redhat.com/show_bug.cgi?id=1050962
bugzilla.redhat.com/show_bug.cgi?id=1051028
bugzilla.redhat.com/show_bug.cgi?id=1051036
bugzilla.redhat.com/show_bug.cgi?id=1051444
bugzilla.redhat.com/show_bug.cgi?id=1060709
bugzilla.redhat.com/show_bug.cgi?id=1060711
bugzilla.redhat.com/show_bug.cgi?id=1063141
bugzilla.redhat.com/show_bug.cgi?id=1071891
bugzilla.redhat.com/show_bug.cgi?id=1075833
bugzilla.redhat.com/show_bug.cgi?id=1076994
bugzilla.redhat.com/show_bug.cgi?id=1077487
bugzilla.redhat.com/show_bug.cgi?id=1080071
bugzilla.redhat.com/show_bug.cgi?id=1081159
bugzilla.redhat.com/show_bug.cgi?id=1084535
bugzilla.redhat.com/show_bug.cgi?id=1086077
bugzilla.redhat.com/show_bug.cgi?id=1098578
rhn.redhat.com/errata/RHSA-2014-0516.html