IBM Support

Security Bulletin: IBM Cloud Manager with Openstack DoS through IPv6 subnet vulnerability (CVE-2014-4167)

Created by Le Tian Ren on

Security Bulletin


Summary

By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud.

Vulnerability Details

CVE ID: CVE-2014-4167

Description: The OpenStack Neutron L3-agent is vulnerable to a denial of service attack. A malicious user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Only Neutron setups using IPv6 and L3-agent are affected.

CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

Affected Products and Versions

Cloud Manager with OpenStack 4.1.0

Remediation/Fixes

Product

VRMFAPARRemediation/First FixRequired Action
Cloud Manager with OpenStack4.1.0NoneCloud Manager with OpenStack 4.1.0.3 Fix Pack:
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Cloud+Manager+with+Openstack&release=4.1.0.2&platform=All&function=fixId&fixids=+4.1.0.3-IBM-CMWO-FP03+&includeSupersedes=0
Cloud Manager with OpenStack 4.1.0.3 Fix Pack:
http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400001884

Workarounds and Mitigations

Only IBM Cloud Manager with Openstack configurations using Neutron for networking and using IPv6 and the L3-agent are affected.

Get Notified about Future Security Bulletins

References

Off

Change History

24 October 2014: Revised for clarity
23 September 2014: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SST55W","label":"IBM Cloud Manager with OpenStack"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.1.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
07 August 2018

UID

isg3T1021230