CVE-2019-9735

Name of the Vulnerable Software and Affected Versions OpenStack Neutron versions prior to 10.0.8 OpenStack Neutron versions 11.x prior to 11.0.7 OpenStack Neutron versions 12.x prior to 12.0.6 OpenStack Neutron versions 13.x prior to 13.0.3

Description The issue is related to incorrect handling of security group settings in the iptables driver component of OpenStack Neutron's SDN platform. An attacker can exploit this to bypass defined security policy rules by blocking further application of security group rules for instances from any project on the affected hosts. This can be achieved by setting a destination port in a security group rule along with a protocol that does not support that option, such as VRRP.

Recommendations For OpenStack Neutron versions prior to 10.0.8, update to version 10.0.8 or later. For OpenStack Neutron versions 11.x prior to 11.0.7, update to version 11.0.7 or later. For OpenStack Neutron versions 12.x prior to 12.0.6, update to version 12.0.6 or later. For OpenStack Neutron versions 13.x prior to 13.0.3, update to version 13.0.3 or later. As a temporary workaround, consider restricting the use of the iptables security group driver until a patch is applied.