Jump to content
Compatible Support Forums
Sign in to follow this  

[RHSA-2014:1119-01] Moderate: openstack-neutron security, bug fix, and enhancement update

Recommended Posts


Hash: SHA1



Red Hat Security Advisory


Synopsis: Moderate: openstack-neutron security, bug fix, and enhancement update

Advisory ID: RHSA-2014:1119-01

Product: Red Hat Enterprise Linux OpenStack Platform

Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1119.html

Issue date: 2014-09-02

CVE Names: CVE-2014-3555



1. Summary:


Updated openstack-neutron packages that fix one security issue, several

bugs, and add various enhancements are now available for Red Hat Enterprise

Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7.


Red Hat Product Security has rated this update as having Moderate security

impact. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available from the CVE link in the

References section.


2. Relevant releases/architectures:


OpenStack 5.0 for RHEL 7 - noarch


3. Description:


OpenStack Networking (neutron) is a pluggable, scalable, and API-driven

system that provisions networking services to virtual machines. Its main

function is to manage connectivity to and from virtual machines. As of Red

Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum'

as the core component of OpenStack Networking.


A denial of service flaw was found in neutron's handling of allowed address

pairs. As there was no enforced quota on the amount of allowed address

pairs, a sufficiently authorized user could possibly create a large number

of firewall rules, impacting performance or potentially rendering a compute

node unusable. (CVE-2014-3555)


Red Hat would like to thank the OpenStack project for reporting this issue.

Upstream acknowledges Liping Mao from Cisco as the original reporter.


The openstack-neutron packages have been upgraded to upstream version

2014.1.2, which provides a number of bug fixes and enhancements over the

previous version, most notable of which are:


* Multiple Open vSwitch agent fixes: the agent now sets bridges in the

correct order to avoid breaking tunnel networks, creates the integration

bridge if it is missing, sets the secure-failing mode for integration

bridges to ensure the 'openvswitch' service does not program NORMAL action

on restart and instead relies on L2 agent to manage those bridges on

restart, limits veth names to 15 characters, and no longer spawns RPC

consumers before all the needed data structures are ready to be accessed.


* RPC interactions between the DHCP agent and the Neutron plug-in have

been optimized.


* Rule updates for security groups are now applied more effectively.


* Firewall-as-a-Service (FWaaS): a possible race condition when deleting a

firewall has been fixed; iptables updates are no longer deferred for the



* Metering: metering data for egress and ingress are now reported

separately; incorrect router key used to report against MongoDB has

been fixed.


* Load-Balancing-as-a-Service (LBaaS): resources are now registered against

quotas engine; rootwrap filters are now shipped independent of L3 agent



* Metaplugin now supports multiple RPC workers.


* The following plug-ins have been updated: BigSwitch, Brocade, Cisco N1k,

HyperV, OFAgent, PLUMgrid, and VMWare NSX.


Refer to https://launchpad.net/neutron/icehouse/2014.1.2 for more

information on the changes included in the 2014.1.2 of openstack-neutron.



This update also fixes the following bug:


* Previously, OpenStack Networking could stop processing network ports that

disappeared from the integration bridge during the L2-agent loop, even

after those ports were back on the bridge. As a result, updates for

temporarily disappeared ports were not handled by the L2 agent. With this

update, these ports are no longer marked as processed if not found on the

integration bridge. Ports are now processed correctly even after they

temporarily disappear from the integration bridge. (BZ#1115588)


All openstack-neutron users are advised to upgrade to these updated

packages, which correct these issues and add these enhancements.


4. Solution:


Before applying this update, make sure all previously released errata

relevant to your system have been applied.


This update is available via the Red Hat Network. Details on how to use the

Red Hat Network to apply this update are available at



5. Bugs fixed (https://bugzilla.redhat.com/):


1115588 - Upon rebuild instances might never get to Active state

1115714 - Cisco: Http timeout for connection to controller is not configurable

1118833 - CVE-2014-3555 openstack-neutron: Denial of Service in Neutron allowed address pair

1123826 - [upgrade] After Upgrade from Havana to Icehouse LBaas doesn't work - "cannot find group id for 'nogroup' "

1127428 - Rebase openstack-neutron to 2014.1.2


6. Package List:


OpenStack 5.0 for RHEL 7:




























These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from



7. References:






8. Contact:


The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/


Copyright 2014 Red Hat, Inc.


Version: GnuPG v1










Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this