date: 2014-09-29

id: OSSA-2014-031

title: 'Admin-only network attributes may be reset to defaults by non-privileged users'

description: 'Elena Ezhova from Mirantis reported a vulnerability in Neutron.
  By updating a network attribute with a default value a non-privileged
  user may reset admin-only network attributes. This may lead to unexpected
  behavior with security implications for operators with a custom policy.json,
  or in some extreme cases network outages resulting in denial of service.
  All deployments using neutron networking are affected by this flaw.'

reference: http://lists.openstack.org/pipermail/openstack-announce/2014-September/000285.html

affected-products:

  - product: neutron
    version: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

vulnerabilities:

  - cve-id: CVE-2014-6414
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 4.0
        detail: AV:N/AC:L/Au:S/C:N/I:N/A:P
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: CWE-862

reporters:

  - name: 'Elena Ezhova'
    affiliation: Mirantis
    reported:
      - CVE-2014-6414


issues:

  links:
    - https://launchpad.net/bugs/1357379

  type: launchpad

reviews:

  juno:
    - https://review.openstack.org/114531

  icehouse:
    - https://review.openstack.org/123849


  type: gerrit