Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: All supported versions
Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails
to perform proper authorization checks when creating ports. By
choosing a device id of a router from a different tenant when
creating a port, an authenticated user can access the network
of other tenants. This affects deployments of Neutron using plugins
relying on the l3-agent.
---
I might also add Aaron's note (below) in the OSSA -
One should perform and audit of the ports that are already
attached to routers after applying this patch and remove ports
that a tenant may have cross plugged.
---
If others are happy with that impact description I'll get a CVE assigned.
Thanks. How about?
----
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: All supported versions
Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails
to perform proper authorization checks when creating ports. By
choosing a device id of a router from a different tenant when
creating a port, an authenticated user can access the network
of other tenants. This affects deployments of Neutron using plugins
relying on the l3-agent.
---
I might also add Aaron's note (below) in the OSSA -
One should perform and audit of the ports that are already
attached to routers after applying this patch and remove ports
that a tenant may have cross plugged.
---
If others are happy with that impact description I'll get a CVE assigned.