CVE-2018-14636

10.09.2018, 19:29

Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
redhat	CNA	5.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 45%

Vendor	Product	Version
openstack	neutron	7.0.0 ≤ 𝑥 ≤ 11.0.4
openstack	neutron	12.0.0 ≤ 𝑥 ≤ 12.0.2
openstack	neutron	13.0.0:b1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

neutron

bullseye (security)	2:17.2.1-0+deb11u1 fixed
bullseye	2:17.2.1-0+deb11u1 fixed
stretch	ignored
jessie	ignored
bookworm	2:21.0.0-7 fixed
sid	2:25.0.0-1 fixed
trixie	2:25.0.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

neutron

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	not-affected
disco	not-affected
cosmic	not-affected
bionic	Fixed 2:12.0.3-0ubuntu1 released
xenial	needed
trusty	dne

Common Weakness Enumeration

CWE-300 - Channel Accessible by Non-Endpoint
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

References

https://bugs.launchpad.net/neutron/+bug/1734320

https://bugs.launchpad.net/neutron/+bug/1767422

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14636

https://bugs.launchpad.net/neutron/+bug/1734320

https://bugs.launchpad.net/neutron/+bug/1767422

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14636