SB2023051224 - Ubuntu update for neutron

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023051224

SB2023051224 - Ubuntu update for neutron

Published: May 12, 2023

Security Bulletin ID SB2023051224
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Insufficient verification of data authenticity (CVE-ID: CVE-2021-20267)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to insufficient verification of data authenticity when processing IPv6 packets in openstack-neutron's default Open vSwitch firewall rules. A remote attacker in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network and intercept traffic or perform a denial of service (DoS) attack.


2) Missing Authorization (CVE-ID: CVE-2021-38598)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing authorization when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. A remote attacker in control of a server instance connected to the virtual switch can send specially crafted packets to impersonate the hardware addresses of other systems on the network.


3) Improper access control (CVE-ID: CVE-2021-40085)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and reconfigure dnsmasq via a crafted extra_dhcp_opts value.


4) Resource exhaustion (CVE-ID: CVE-2021-40797)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing API calls to nonexistent controllers. A remote authenticated user can trigger resource exhaustion by sending multiple API calls and perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2022-3277)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when the user queries a list of security groups for an invalid project. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References