PublicDateAtUSN: 2019-03-12
Candidate: CVE-2019-9735
PublicDate: 2019-03-13 02:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735
 https://seclists.org/oss-sec/2019/q1/183
 https://ubuntu.com/security/notices/USN-4036-1
Description:
 An issue was discovered in the iptables firewall module in OpenStack
 Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x
 before 13.0.3. By setting a destination port in a security group rule along
 with a protocol that doesn't support that option (for example, VRRP), an
 authenticated user may block further application of security group rules
 for instances from any project/tenant on the compute hosts to which it's
 applied. (Only deployments using the iptables security group driver are
 affected.)
Ubuntu-Description:
Notes:
Bugs:
 https://launchpad.net/bugs/1818385
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924508
Priority: medium
Discovered-by: Erik Olof Gunnar Andersson
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM]


Patches_neutron:
 upstream: https://review.openstack.org/640685 (rocky, 13.0.x)
 upstream: https://review.openstack.org/640702 (queens, 12.0.x)
 upstream: https://review.openstack.org/640790 (pike, 11.0.x)
 upstream: https://review.openstack.org/640791 (ocata, 10.0.x)
upstream_neutron: released (2:13.0.2-13)
precise/esm_neutron: DNE
trusty_neutron: ignored (reached end-of-life)
trusty/esm_neutron: DNE (trusty was needs-triage)
xenial_neutron: released (2:8.4.0-0ubuntu7.4)
esm-infra/xenial_neutron: released (2:8.4.0-0ubuntu7.4)
bionic_neutron: released (2:12.0.6-0ubuntu1)
cosmic_neutron: released (2:13.0.2-0ubuntu3.4)
disco_neutron: not-affected (2:14.0.0~b1~git2018120609.2e720b158b-0ubuntu2)
devel_neutron: not-affected (2:14.0.0~b1~git2018120609.2e720b158b-0ubuntu2)