Vulnerability Description
OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 16.04 |
| Openstack | Nova-Lxd | <= 13.1.0 |
References
- http://www.openwall.com/lists/oss-security/2017/02/09/3Mailing ListPatchThird Party Advisory
- http://www.securityfocus.com/bid/96182Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-3195-1Third Party Advisory
- https://bugs.launchpad.net/nova-lxd/+bug/1656847Issue TrackingPatchThird Party Advisory
- https://github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f8570Issue TrackingPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2017/02/09/3Mailing ListPatchThird Party Advisory
- http://www.securityfocus.com/bid/96182Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-3195-1Third Party Advisory
- https://bugs.launchpad.net/nova-lxd/+bug/1656847Issue TrackingPatchThird Party Advisory
- https://github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f8570Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2017-5936?
CVE-2017-5936 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions...
How severe is CVE-2017-5936?
CVE-2017-5936 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5936?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Openstack Nova-Lxd.