CVE-2019-10876
First published: Wed Apr 03 2019(Updated: )
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Neutron | >=11.0.0<11.0.7 | |
| OpenStack Neutron | >=12.0.0<12.0.6 | |
| OpenStack Neutron | >=13.0.0<13.0.3 | |
| Redhat Openstack | =13 | |
| Redhat Openstack | =14 | |
| redhat/neutron | <11.0.7 | 11.0.7 |
| redhat/neutron | <12.0.6 | 12.0.6 |
| redhat/neutron | <13.0.3 | 13.0.3 |
| pip/neutron | >=13.0.0<13.0.3 | 13.0.3 |
| pip/neutron | >=12.0.0<12.0.6 | 12.0.6 |
| pip/neutron | >=11.0.0<11.0.7 | 11.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2019/04/09/2
- https://access.redhat.com/errata/RHSA-2019:0879
- https://access.redhat.com/errata/RHSA-2019:0935
- https://bugs.launchpad.net/ossa/+bug/1813007
- https://review.openstack.org/#/q/topic:bug/1813007
- https://security.openstack.org/ossa/OSSA-2019-002.html
- https://review.openstack.org/#/c/640252/
- https://review.openstack.org/#/c/648102/2
- https://review.openstack.org/#/c/648004/2
- https://review.openstack.org/#/c/648003/2
- https://review.openstack.org/#/c/648002/2
- https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1813007
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1695884
- https://github.com/openstack/neutron/commit/237ec30ca94322716a1af5e59c0960f0eef24194
- https://bugzilla.redhat.com/show_bug.cgi?id=1695883
- https://nvd.nist.gov/vuln/detail/CVE-2019-10876
- https://github.com/advisories/GHSA-jr9m-v5qh-mh2j (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/neutron/PYSEC-2019-189.yaml
Frequently Asked Questions
What is CVE-2019-10876?
CVE-2019-10876 is a vulnerability in OpenStack Neutron versions before 11.0.7, 12.0.6, and 13.0.3 that allows an authenticated user to prevent Neutron from configuring networks on compute nodes.
How can an attacker exploit CVE-2019-10876?
By creating two security groups with separate/overlapping port ranges, an authenticated user can exploit CVE-2019-10876.
What is the severity of CVE-2019-10876?
CVE-2019-10876 has a severity rating of 6.5 out of 10 (medium).
Which versions of OpenStack Neutron are affected by CVE-2019-10876?
OpenStack Neutron versions before 11.0.7, 12.0.6, and 13.0.3 are affected by CVE-2019-10876.
How can I fix CVE-2019-10876?
To fix CVE-2019-10876, upgrade your OpenStack Neutron installation to version 11.0.7, 12.0.6, or 13.0.3.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10876
- agent/software-canonical-lookup
- agent/severity
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jr9m-v5qh-mh2j
- agent/references
- agent/last-modified-date
- agent/tags
- collector/github-advisory
- agent/trending
- vendor/openstack
- canonical/openstack neutron
- version/openstack neutron/11.0.0
- version/openstack neutron/12.0.0
- version/openstack neutron/13.0.0
- vendor/redhat
- canonical/redhat openstack
- version/redhat openstack/13
- version/redhat openstack/14
- package-manager/redhat
- package-manager/pip