Vulnerability Details : CVE-2017-5936
OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions.
Products affected by CVE-2017-5936
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:a:openstack:nova-lxd:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-5936
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-5936
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2017-5936
-
https://github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f857028bd2
Ensure LXD veth host device is named correctly · openstack/nova-lxd@1b76cef · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://bugs.launchpad.net/nova-lxd/+bug/1656847
Bug #1656847 “neutron security group rules not applied to nova-l...” : Bugs : nova-lxdIssue Tracking;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/96182
OpenStack Nova-LXD CVE-2017-5936 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2017/02/09/3
oss-security - Re: CVE Request: Nova-LXD incorrectly applied Neutron security group rulesMailing List;Patch;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-3195-1
USN-3195-1: Nova-LXD vulnerability | Ubuntu security noticesThird Party Advisory
Jump to