CVE-2019-15753

EUVD-2022-4542
In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
openstackos-vif
1.15.0 ≤
𝑥
< 1.15.2
openstackos-vif
1.16.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-os-vif
bookworm
3.0.0-2
fixed
bullseye
2.2.0-2
fixed
buster
not-affected
sid
3.7.0-3
fixed
stretch
not-affected
trixie
3.7.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-os-vif
bionic
not-affected
disco
ignored
eoan
ignored
focal
needed
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2019/08/29/2
https://launchpad.net/bugs/1837252
https://review.opendev.org/672834
https://review.opendev.org/678098
https://security.openstack.org/ossa/OSSA-2019-004.html
http://www.openwall.com/lists/oss-security/2019/08/29/2
https://launchpad.net/bugs/1837252
https://review.opendev.org/672834
https://review.opendev.org/678098
https://security.openstack.org/ossa/OSSA-2019-004.html