Candidate: CVE-2018-14635
PublicDate: 2018-09-10 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14635
Description:
 When using the Linux bridge ml2 driver, non-privileged tenants are able to
 create and attach ports without specifying an IP address, bypassing IP
 address validation. A potential denial of service could occur if an IP
 address, conflicting with existing guests or routers, is then assigned from
 outside of the allowed allocation pool. Versions of openstack-neutron
 before 13.0.0.0b2, 12.0.3 and 11.0.5 are vulnerable.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.launchpad.net/neutron/+bug/1757482
Priority: negligible
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM]


Patches_neutron:
 upstream: https://review.openstack.org/#/c/584326/ (ocata, 10.x)
 upstream: https://review.openstack.org/#/c/584324/ (queens, 12.x)
upstream_neutron: released (12.0.4)
precise/esm_neutron: DNE
trusty_neutron: ignored (reached end-of-life)
trusty/esm_neutron: DNE (trusty was needs-triage)
xenial_neutron: ignored (end of standard support, was needed)
esm-infra/xenial_neutron: needed
bionic_neutron: released (2:12.0.3-0ubuntu1)
cosmic_neutron: not-affected (2:13.0.0-0ubuntu4)
disco_neutron: not-affected (2:13.0.0-0ubuntu4)
eoan_neutron: not-affected (2:13.0.0-0ubuntu4)
focal_neutron: not-affected (2:13.0.0-0ubuntu4)
groovy_neutron: not-affected (2:13.0.0-0ubuntu4)
hirsute_neutron: not-affected (2:13.0.0-0ubuntu4)
impish_neutron: not-affected (2:13.0.0-0ubuntu4)
jammy_neutron: not-affected (2:13.0.0-0ubuntu4)
devel_neutron: not-affected (2:13.0.0-0ubuntu4)