CVE-2019-15753

In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
openstackos-vif
1.15.0 ≤
𝑥
< 1.15.2
openstackos-vif
1.16.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-os-vif
bullseye
2.2.0-2
fixed
buster
not-affected
stretch
not-affected
bookworm
3.0.0-2
fixed
sid
3.7.0-3
fixed
trixie
3.7.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-os-vif
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
eoan
ignored
disco
ignored
bionic
not-affected
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2019/08/29/2
https://launchpad.net/bugs/1837252
https://review.opendev.org/672834
https://review.opendev.org/678098
https://security.openstack.org/ossa/OSSA-2019-004.html
http://www.openwall.com/lists/oss-security/2019/08/29/2
https://launchpad.net/bugs/1837252
https://review.opendev.org/672834
https://review.opendev.org/678098
https://security.openstack.org/ossa/OSSA-2019-004.html