Description
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected.
References (6)
Core 6
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/ossa/+bug/1813007
Vendor Advisory x_refsource_misc
https://review.openstack.org/#/q/topic:bug/1813007
Third Party Advisory x_refsource_confirm
https://security.openstack.org/ossa/OSSA-2019-002.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/09/2
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0935
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0879
Scores
CVSS v3
6.5
EPSS
0.0062
EPSS Percentile
70.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
Status
published
Products (4)
openstack/neutron
11.0.0 - 11.0.7
pypi/neutron
11.0.0 - 11.0.7PyPI
redhat/openstack
13
redhat/openstack
14
Published
Apr 05, 2019
Tracked Since
Feb 18, 2026