OSSA-2021-004: Linuxbridge ARP filter bypass on Netfilter platforms¶
- Date:
August 17, 2021
- CVE:
CVE-2021-38598
Affects¶
Neutron: <16.4.1, >=17.0.0 <17.1.3, ==18.0.0
Description¶
Jake Yip with ARDC and Justin Mammarella with the University of Melbourne reported a vulnerability in Neutron’s linuxbridge driver on newer Netfilter-based platforms (the successor to IPTables). By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the linuxbridge driver with ebtables-nft are affected.
Patches¶
https://review.opendev.org/804057 (Ussuri)
https://review.opendev.org/804056 (Victoria)
https://review.opendev.org/785917 (Wallaby)
Credits¶
Jake Yip from ARDC (CVE-2021-38598)
Justin Mammarella from University of Melbourne (CVE-2021-38598)
References¶
Notes¶
The stable/train branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.