OSSA-2014-031: Admin-only network attributes may be reset to defaults by non-privileged users

Date:

September 29, 2014

CVE:

CVE-2014-6414

Affects

  • Neutron: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Description

Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw.

Patches

Credits

  • Elena Ezhova from Mirantis (CVE-2014-6414)

References