Vulnerability Details : CVE-2014-8153
The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote authenticated users to cause a denial of service (blocked router update processing) by creating eight routers and assigning an ipv6 non-provider subnet to each.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2014-8153
- cpe:2.3:a:openstack:neutron:2014.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:neutron:2014.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:litech:router_advertisement_daemon:2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8153
4.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8153
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2014-8153
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8153
-
https://bugs.launchpad.net/neutron/+bug/1399172
Bug #1399172 “[OSSA 2015-001] L3 agent DoS vulnerability (CVE-20...” : Bugs : neutron
-
https://bugs.launchpad.net/neutron/+bug/1398779
Bug #1398779 “radvd >= 2.0 blocks router update processing” : Bugs : neutron
-
http://lists.openstack.org/pipermail/openstack-announce/2015-January/000320.html
OpenStack Open Source Cloud Computing Software » Message: [openstack-announce] [OSSA 2015-001] L3 agent denial of service with radvd 2.0+ (CVE-2014-8153)Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1169408
1169408 – Neutron router interface port creation fails with radvd >= 2.0 due to blocked router update processing
-
http://www.securityfocus.com/bid/71961
OpenStack Neutron CVE-2014-8153 Local Denial of Service Vulnerability
Jump to