CVE-2017-5936

EUVD-2017-0078
OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
canonicalubuntu_linux
16.04
openstacknova-lxd
𝑥
≤ 13.1.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nova-lxd
precise
dne
trusty
dne
xenial
Fixed 13.2.0-0ubuntu1.16.04.1
released
yakkety
not-affected
References
http://www.openwall.com/lists/oss-security/2017/02/09/3
http://www.securityfocus.com/bid/96182
http://www.ubuntu.com/usn/USN-3195-1
https://bugs.launchpad.net/nova-lxd/+bug/1656847
https://github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f857028bd2
http://www.openwall.com/lists/oss-security/2017/02/09/3
http://www.securityfocus.com/bid/96182
http://www.ubuntu.com/usn/USN-3195-1
https://bugs.launchpad.net/nova-lxd/+bug/1656847
https://github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f857028bd2