CVE-2019-15753
CRITICALOpenStack os-vif 1.15.0-1.15.1 and 1.16.0 - Unauthenticated Ethernet Flooding via Hardcoded MAC Aging Time
Title source: llmDescription
In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
References (5)
Core 5
Core References
Patch x_refsource_misc
https://review.opendev.org/672834
Patch x_refsource_misc
https://review.opendev.org/678098
Patch, Vendor Advisory x_refsource_confirm
https://security.openstack.org/ossa/OSSA-2019-004.html
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/08/29/2
Issue Tracking, Third Party Advisory x_refsource_misc
https://launchpad.net/bugs/1837252
Scores
CVSS v3
9.1
EPSS
0.0097
EPSS Percentile
76.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-770
Status
published
Products (3)
openstack/os-vif
1.16.0
openstack/os-vif
1.15.0 - 1.15.2
pypi/os-vif
1.15.0 - 1.15.2PyPI
Published
Aug 28, 2019
Tracked Since
Feb 18, 2026