CVE-2014-3555

OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://lists.openstack.org/pipermail/openstack-announce/2014-July/000255.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-1119.html
http://rhn.redhat.com/errata/RHSA-2014-1120.html
http://seclists.org/oss-sec/2014/q3/200
http://secunia.com/advisories/60766
http://secunia.com/advisories/60804
http://www.securityfocus.com/bid/68765
https://bugs.launchpad.net/neutron/+bug/1336207

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openstack:neutron:2013.2.4:::::::*
	cpe:2.3:a:openstack:neutron:2014.1:::::::*
	cpe:2.3:a:openstack:neutron:2014.1.1:::::::*
	cpe:2.3:a:openstack:neutron:juno-1:::::::*

History

13 Feb 2023, 00:40

Type	Values Removed	Values Added
Summary	A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable.	OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.
References	~~{'url': 'https://access.redhat.com/errata/RHSA-2014:1119', 'name': 'https://access.redhat.com/errata/RHSA-2014:1119', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1118833', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1118833', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/security/cve/CVE-2014-3555', 'name': 'https://access.redhat.com/security/cve/CVE-2014-3555', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2014:1120', 'name': 'https://access.redhat.com/errata/RHSA-2014:1120', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2014:1078', 'name': 'https://access.redhat.com/errata/RHSA-2014:1078', 'tags': [], 'refsource': 'MISC'}~~

02 Feb 2023, 20:17

Type	Values Removed	Values Added
Summary	OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.	A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable.
References		(MISC) https://access.redhat.com/errata/RHSA-2014:1119 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1118833 - (MISC) https://access.redhat.com/security/cve/CVE-2014-3555 - (MISC) https://access.redhat.com/errata/RHSA-2014:1120 - (MISC) https://access.redhat.com/errata/RHSA-2014:1078 -

Information

Published : 2014-07-23 14:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-3555

Mitre link : CVE-2014-3555

CVE.ORG link : CVE-2014-3555

JSON object : View

Products Affected

openstack

neutron

CWE

CWE-264

Permissions, Privileges, and Access Controls

4.0 /10