CVE-2019-10876

An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
openstackneutron
11.0.0 ≤
𝑥
< 11.0.7
openstackneutron
12.0.0 ≤
𝑥
< 12.0.6
openstackneutron
13.0.0 ≤
𝑥
< 13.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
neutron
bullseye (security)
2:17.2.1-0+deb11u1
fixed
bullseye
2:17.2.1-0+deb11u1
fixed
stretch
not-affected
jessie
not-affected
bookworm
2:21.0.0-7
fixed
sid
2:25.0.0-1
fixed
trixie
2:25.0.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
neutron
disco
not-affected
cosmic
Fixed 2:13.0.2-0ubuntu3
released
bionic
Fixed 2:12.0.5-0ubuntu3
released
xenial
not-affected
trusty
dne
References
http://www.openwall.com/lists/oss-security/2019/04/09/2
https://access.redhat.com/errata/RHSA-2019:0879
https://access.redhat.com/errata/RHSA-2019:0935
https://bugs.launchpad.net/ossa/+bug/1813007
https://review.openstack.org/#/q/topic:bug/1813007
https://security.openstack.org/ossa/OSSA-2019-002.html
http://www.openwall.com/lists/oss-security/2019/04/09/2
https://access.redhat.com/errata/RHSA-2019:0879
https://access.redhat.com/errata/RHSA-2019:0935
https://bugs.launchpad.net/ossa/+bug/1813007
https://review.openstack.org/#/q/topic:bug/1813007
https://security.openstack.org/ossa/OSSA-2019-002.html