Description
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)
References (10)
Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107390
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://launchpad.net/bugs/1818385
Patch, Vendor Advisory x_refsource_confirm
https://security.openstack.org/ossa/OSSA-2019-001.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/03/18/2
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Mar/24
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4409
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0916
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0935
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0879
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4036-1/
Scores
CVSS v3
6.5
EPSS
0.0189
EPSS Percentile
83.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-755
Status
published
Products (6)
debian/debian_linux
9.0
openstack/neutron
< 10.0.8
pypi/neutron
0 - 10.0.8PyPI
redhat/openstack
10
redhat/openstack
13
redhat/openstack
14
Published
Mar 13, 2019
Tracked Since
Feb 18, 2026