CVE-2015-3221

Name of the Vulnerable Software and Affected Versions OpenStack Neutron versions prior to 2014.2.4 (juno) OpenStack Neutron versions 2015.1.x prior to 2015.1.1 (kilo)

Description The issue allows remote authenticated users to cause a denial of service, resulting in an L2 agent crash. This occurs when an address pair is added that is rejected by the ipset tool, specifically when using the IPTables firewall driver.

Recommendations For OpenStack Neutron versions prior to 2014.2.4 (juno), update to version 2014.2.4 or later. For OpenStack Neutron versions 2015.1.x prior to 2015.1.1 (kilo), update to version 2015.1.1 or later. As a temporary workaround, consider restricting the addition of address pairs that may be rejected by the ipset tool to minimize the risk of exploitation.