Vulnerability Description
In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Os-Vif | >= 1.15.0, < 1.15.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2019/08/29/2Mailing ListPatchThird Party Advisory
- https://launchpad.net/bugs/1837252Issue TrackingThird Party Advisory
- https://review.opendev.org/672834Patch
- https://review.opendev.org/678098Patch
- https://security.openstack.org/ossa/OSSA-2019-004.htmlPatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2019/08/29/2Mailing ListPatchThird Party Advisory
- https://launchpad.net/bugs/1837252Issue TrackingThird Party Advisory
- https://review.opendev.org/672834Patch
- https://review.opendev.org/678098Patch
- https://security.openstack.org/ossa/OSSA-2019-004.htmlPatchVendor Advisory
FAQ
What is CVE-2019-15753?
CVE-2019-15753 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both ...
How severe is CVE-2019-15753?
CVE-2019-15753 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-15753?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Os-Vif.