CVE-2017-5936

OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
VendorProductVersion
canonicalubuntu_linux
16.04
openstacknova-lxd
𝑥
≤ 13.1.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nova-lxd
yakkety
not-affected
xenial
Fixed 13.2.0-0ubuntu1.16.04.1
released
trusty
dne
precise
dne
References
http://www.openwall.com/lists/oss-security/2017/02/09/3
http://www.securityfocus.com/bid/96182
http://www.ubuntu.com/usn/USN-3195-1
https://bugs.launchpad.net/nova-lxd/+bug/1656847
https://github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f857028bd2
http://www.openwall.com/lists/oss-security/2017/02/09/3
http://www.securityfocus.com/bid/96182
http://www.ubuntu.com/usn/USN-3195-1
https://bugs.launchpad.net/nova-lxd/+bug/1656847
https://github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f857028bd2