date: 2014-11-19

id: OSSA-2014-039

title: 'Neutron DoS through invalid DNS configuration'

description: 'Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported
    a vulnerability in Neutron. By configuring a maliciously crafted
    dns_nameservers an authenticated user may crash Neutron service
    resulting in a denial of service attack. All Neutron setups are affected.'

errata: 'The former fix did not take into account the usage of hostnames as
    nameserver and caused a regression for this use-case. This update
    provides an additional fix for that issue.'

affected-products:

  - product: neutron
    version: up to 2014.1.3 and 2014.2

vulnerabilities:

  - cve-id: CVE-2014-7821
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 4.0
        detail: AV:N/AC:L/Au:S/C:N/I:N/A:P
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO


reporters:

  - name: 'Henry Yamauchi'
    affiliation: Rackspace
    reported:
      - CVE-2014-7821

  - name: 'Charles Neill'
    affiliation: Rackspace
    reported:
      - CVE-2014-7821

  - name: 'Michael Xin'
    affiliation: Rackspace
    reported:
      - CVE-2014-7821

issues:

  links:
    - https://launchpad.net/bugs/1378450

  type: launchpad

reviews:

  kilo:
    - https://review.openstack.org/135616 - original
    - https://review.openstack.org/137560 -   errata

  juno:
    - https://review.openstack.org/135623 - original
    - https://review.openstack.org/139061 -   errata

  icehouse:
    - https://review.openstack.org/135624 - original
    - https://review.openstack.org/139063 -   errata

  type: gerrit

notes:
  - 'These fixes are included in the 2014.2.1 release and will be included in
    a future 2014.1.4 release.'

errata_history:
  - 2014-12-10 - Errata 1
  - 2014-11-19 - Original Version