ALT-PU-2024-1575-3
Package openstack-neutron updated to version 22.1.0-alt1.p10 for branch p10 in task 339070.
Closed vulnerabilities
BDU:2021-04649
Уязвимость правил брандмауэра Open vSwitch сетевого сервиса Neutron, связанная с недостаточной проверкой подлинности данных, позволяющая нарушителю получить доступ к конфиденциальным данным, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-20267
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch driver are affected. Source: OpenStack project. Versions before openstack-neutron 15.3.3, openstack-neutron 16.3.1 and openstack-neutron 17.1.1 are affected.
Modified: 2024-11-21
CVE-2021-38598
OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations.
Modified: 2024-11-21
CVE-2021-40085
An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
- [oss-security] 20210831 [OSSA-2021-005] Neutron: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085)
- [oss-security] 20210831 [OSSA-2021-005] Neutron: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085)
- https://launchpad.net/bugs/1939733
- https://launchpad.net/bugs/1939733
- [debian-lts-announce] 20211011 [SECURITY] [DLA 2781-1] neutron security update
- [debian-lts-announce] 20211011 [SECURITY] [DLA 2781-1] neutron security update
- [debian-lts-announce] 20220526 [SECURITY] [DLA 3027-1] neutron security update
- [debian-lts-announce] 20220526 [SECURITY] [DLA 3027-1] neutron security update
- https://security.openstack.org/ossa/OSSA-2021-005.html
- https://security.openstack.org/ossa/OSSA-2021-005.html
- DSA-4983
- DSA-4983
Modified: 2024-11-21
CVE-2021-40797
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
- [oss-security] 20210909 [OSSA-2021-006] Neutron: Routes middleware memory leak for nonexistent controllers (CVE-2021-40797)
- [oss-security] 20210909 [OSSA-2021-006] Neutron: Routes middleware memory leak for nonexistent controllers (CVE-2021-40797)
- https://launchpad.net/bugs/1942179
- https://launchpad.net/bugs/1942179
- https://security.openstack.org/ossa/OSSA-2021-006.html
- https://security.openstack.org/ossa/OSSA-2021-006.html
Modified: 2025-03-07
CVE-2022-3277
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.