Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 528
Alerts This Week
Warning Icon 1 528

RedHat OpenStack 13.0: RHSA-2019-0935-01 Important: Neutron Security Issues

red hat
Calendar Grey April 30, 2019
Dist Redhat Esm H88
Urgent security update for OpenStack Neutron identifies several vulnerabilities. Users should upgrade to ensure system integrity and prevent unauthorized access.
An update for openstack-neutron is now available for Red Hat OpenStack Platform 13.0 (Queens)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines.
Security Fix(es):
* openstack-neutron: incorrect validation of port settings in iptables security group driver (CVE-2019-9735)
* openstack-neutron: DOS via broken port range merging in security group (CVE-2019-10876)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2019-9735 https://access.redhat.com/security/cve/CVE-2019-10876 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat OpenStack Platform 13.0:
Source: openstack-neutron-12.0.5-11.el7ost.src.rpm
noarch: openstack-neutron-12.0.5-11.el7ost.noarch.rpm openstack-neutron-common-12.0.5-11.el7ost.noarch.rpm openstack-neutron-linuxbridge-12.0.5-11.el7ost.noarch.rpm openstack-neutron-macvtap-agent-12.0.5-11.el7ost.noarch.rpm openstack-neutron-metering-agent-12.0.5-11.el7ost.noarch.rpm openstack-neutron-ml2-12.0.5-11.el7ost.noarch.rpm openstack-neutron-openvswitch-12.0.5-11.el7ost.noarch.rpm openstack-neutron-rpc-server-12.0.5-11.el7ost.noarch.rpm openstack-neutron-sriov-nic-agent-12.0.5-11.el7ost.noarch.rpm python-neutron-12.0.5-11.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2019:0935-01
Product: Red Hat Enterprise Linux OpenStack Platform
Issue date: 2019-04-30

Topic

An update for openstack-neutron is now available for Red Hat OpenStackPlatform 13.0 (Queens).Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat OpenStack Platform 13.0 - noarch

Bugs Fixed

1610468 - floating ip not reachable on vlan with two different networks and multiple VMs

1629465 - Prevent SR-IOV / direct port from being attached to neutron router (DVR or not)

1630167 - [FFWD] Tempest test_dualnet_dhcp6_stateless_from_os failed

1643135 - OSP 13 - OVS/ml2 - ipv6 forwarding is broken in HA neutron routers due to incorrect ipv6 kernel forwarding parameters1651936 - [RHOSP 13][DVR] Neutron doesn't configure multiple external subnets for one network properly

1654840 - Routers hosted on one of two networker nodes unable to access external network

1685893 - DHCP Agent should not release DHCP lease when client ID is not set on port

1690745 - CVE-2019-9735 openstack-neutron: incorrect validation of port settings in iptables security group driver

1695451 - CVE-2019-10876 openstack-neutron: DOS via broken port range merging in security group [openstack-13-default]

1695883 - CVE-2019-10876 openstack-neutron: DOS via broken port range merging in security group

1696792 - Rebase openstack-neutron to 8b744646264a1fda50f13739a4476cdf32172d0f

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.