OSSA-2014-039: Neutron DoS through invalid DNS configuration

Date:

November 19, 2014

CVE:

CVE-2014-7821

Affects

• Neutron: up to 2014.1.3 and 2014.2

Description

Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a vulnerability in Neutron. By configuring a maliciously crafted dns_nameservers an authenticated user may crash Neutron service resulting in a denial of service attack. All Neutron setups are affected.

Errata

The former fix did not take into account the usage of hostnames as nameserver and caused a regression for this use-case. This update provides an additional fix for that issue.

Patches

• https://review.openstack.org/135624 - original (Icehouse)

• https://review.openstack.org/139063 - errata (Icehouse)

• https://review.openstack.org/135623 - original (Juno)

• https://review.openstack.org/139061 - errata (Juno)

• https://review.openstack.org/135616 - original (Kilo)

• https://review.openstack.org/137560 - errata (Kilo)

Credits

• Henry Yamauchi from Rackspace (CVE-2014-7821)

• Charles Neill from Rackspace (CVE-2014-7821)

• Michael Xin from Rackspace (CVE-2014-7821)

References

• https://launchpad.net/bugs/1378450

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7821

Notes

• These fixes are included in the 2014.2.1 release and will be included in a future 2014.1.4 release.

OSSA History

• 2014-12-10 - Errata 1

• 2014-11-19 - Original Version