Vulnerability in Openstack Neutron

CVE-2015-5240

Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner o…

Vulnerability class: Race Condition

EPSS: 0.002 (38.7th percentile) — read the EPSS interpretation.

Affected products

Openstack Neutron — versions 2014.2.3, 2015.1.0, 2015.1.1
N/a — versions n/a

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

RHSA-2015:1909 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
secalert@redhat.com (x_refsource_CONFIRM)
[oss-security] 20151008 [OSSA 2015-018] Neutron firewall rules bypass through port update (CVE-2015-5240) (mailing-list, x_refsource_MLIST)