Executive Summary
| Summary | |
|---|---|
| Title | openstack-neutron security, bug fix, and enhancement update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2014:0516 | First vendor Publication | 2014-05-29 |
| Vendor | RedHat | Last vendor Modification | 2014-05-29 |
| Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:H/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 7.6 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | High |
| Cvss Expoit Score | 4.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: Updated openstack-neutron packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch 3. Description: OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. A flaw was found in the way OpenStack Networking performed authorization checks on created ports. An authenticated user could potentially use this flaw to create ports on a router belonging to a different tenant, allowing unauthorized access to the network of other tenants. Note that only OpenStack Networking setups using plug-ins that rely on the l3-agent were affected. (CVE-2014-0056) It was discovered that the default sudo configuration provided in OpenStack Networking, which is specific to the openstack-neutron package shipped by Red Hat, did not correctly specify a configuration file for rootwrap, potentially allowing an unauthenticated user to escalate their privileges. (CVE-2013-6433) Red Hat would like to thank the OpenStack project for reporting CVE-2014-005 |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2014-0516.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-287 | Improper Authentication |
| 50 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:24699 | |||
| Oval ID: | oval:org.mitre.oval:def:24699 | ||
| Title: | USN-2194-1 -- neutron vulnerability | ||
| Description: | OpenStack Neutron would allow unintended access to other tenant networks. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-2194-1 CVE-2014-0056 | Version: | 5 |
| Platform(s): | Ubuntu 13.10 | Product(s): | neutron |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-06-26 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2255-1.nasl - Type : ACT_GATHER_INFO |
| 2014-05-06 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2194-1.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-06-03 21:27:47 |
|
| 2014-06-02 21:27:28 |
|
| 2014-05-30 00:20:29 |
|
