CVE-2014-0056 — OpenStack Neutron Improper Authentication vulnerability

Description

The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.

How to fix CVE-2014-0056

To remediate CVE-2014-0056, upgrade the affected package to a fixed version below.

Debian/neutron—upgrade to 2013.2.2-4 or later
PyPI/neutron—upgrade to 2013.2.3 or later

Is CVE-2014-0056 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2013.2.2-4
>= 2012.2, < 2013.2.3

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0056
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-0056
PATCHopendev.org/openstack/neutron
WEBrhn.redhat.com/errata/RHSA-2014-0516.html
WEB