First published: Wed Aug 28 2019(Updated: )
In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in `internal/command/ip/linux/impl_pyroute2.py`.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
OpenStack os-vif | >=1.15.0<1.15.2 | |
OpenStack os-vif | =1.16.0 | |
pip/os-vif | =1.16.0 | 1.17.0 |
pip/os-vif | >=1.15.0<1.15.2 | 1.15.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this OpenStack os-vif vulnerability is CVE-2019-15753.
The severity of CVE-2019-15753 is critical with a CVSS score of 9.1.
CVE-2019-15753 is a vulnerability in OpenStack os-vif 1.15.x before 1.15.2 and 1.16.0 that enables MAC learning in linuxbridge with a hard-coded MAC aging time of 0, which can lead to network performance issues and potential packet snooping.
CVE-2019-15753 can impede network performance due to obligatory Ethernet flooding of non-local destinations.
To fix CVE-2019-15753, update OpenStack os-vif to version 1.15.2 or higher, or upgrade to version 1.16.0.