Information Exposure Affecting neutron package, versions [0,18.0.0)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-NEUTRON-1577285
- published 31 Aug 2021
- disclosed 10 Sep 2018
- credit Unknown
Introduced: 10 Sep 2018
CVE-2018-14636 Open this link in a new tabHow to fix?
Upgrade neutron to version 18.0.0 or higher.
Overview
neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API.
Affected versions of this package are vulnerable to Information Exposure. During live-migration there is a small time window where the ports of instances are untagged. Instances have a port trunked to the integration bridge and receive 802.1Q tagged private traffic from other tenants.
If the port is administratively down during live migration, the port will remain in trunk mode indefinitely. Traffic is possible between ports that are administratively down, even between tenants self-service networks. This allows end users within their own private network to receive from, and send traffic to, other private networks on the same compute node.