OSSA-2014-008: Routers can be cross plugged by other tenants

OSSA-2014-008: Routers can be cross plugged by other tenants¶

Date:: March 27, 2014
CVE:: CVE-2014-0056

Affects¶

Neutron: 2012.2 versions up to 2013.2.2

Description¶

Aaron Rosen from VMware reported a vulnerability where Neutron fails to perform proper authorization checks when creating ports. By choosing a device id of a router from a different tenant when creating a port, an authenticated user can access the network of other tenants. This affects deployments of Neutron using plugins relying on the l3-agent.

Patches¶

https://review.openstack.org/#/c/83393 (Havana)
https://review.openstack.org/#/c/83391 (Icehouse)

Credits¶

Aaron Rosen from VMware (CVE-2014-0056)

References¶

this page last updated: 2024-10-03 16:29:15

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.