Comment 30 for bug 1243327
Revision history for this message
| Grant Murphy (gmurphy) wrote Re: Routers can be cross plugged by other tenants | #30 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Thanks. How about?
----
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: All supported versions
Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails
to perform proper authorization checks when creating ports. By
choosing a device id of a router from a different tenant when
creating a port, an authenticated user can access the network
of other tenants. This affects deployments of Neutron using plugins
relying on the l3-agent.
---
I might also add Aaron's note (below) in the OSSA -
One should perform and audit of the ports that are already
attached to routers after applying this patch and remove ports
that a tenant may have cross plugged.
---
If others are happy with that impact description I'll get a CVE assigned.