1. CVE-Search
  2. CVE-2019-9735
ID CVE-2019-9735
Summary An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)
References
Vulnerable Configurations
  • cpe:2.3:a:openstack:neutron:12.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:12.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:12.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:12.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:12.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:12.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:12.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:12.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:12.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:12.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:12.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:12.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:13.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:13.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:13.0.0:b1:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:13.0.0:b1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:13.0.0.0:b1:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:13.0.0.0:b1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:13.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:13.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:13.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:13.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.5-50:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.5-50:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:11.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:11.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:7.2.0-12.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:7.2.0-12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.3.0-11.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.3.0-11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:8.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:8.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.3.1-2.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.3.1-2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:9.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:9.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.2-1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.2-1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.7-30:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.7-30:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:neutron:10.0.7-88:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:neutron:10.0.7-88:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVSS
Base: 4.0 (as of 04-08-2021 - 17:15)
Impact:
Exploitability:
CWE CWE-755
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:N/I:N/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2019:0879
  • rhsa
    id RHSA-2019:0916
  • rhsa
    id RHSA-2019:0935
rpms
  • openstack-neutron-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-common-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-linuxbridge-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-macvtap-agent-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-metering-agent-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-ml2-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-openvswitch-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-rpc-server-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-sriov-nic-agent-1:13.0.3-0.20190313155649.00b63be.el7ost
  • python-neutron-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-1:9.4.1-40.el7ost
  • openstack-neutron-bigswitch-agent-2:9.42.14-1.el7ost
  • openstack-neutron-bigswitch-lldp-2:9.42.14-1.el7ost
  • openstack-neutron-common-1:9.4.1-40.el7ost
  • openstack-neutron-lbaas-1:9.2.2-8.el7ost
  • openstack-neutron-linuxbridge-1:9.4.1-40.el7ost
  • openstack-neutron-macvtap-agent-1:9.4.1-40.el7ost
  • openstack-neutron-metering-agent-1:9.4.1-40.el7ost
  • openstack-neutron-ml2-1:9.4.1-40.el7ost
  • openstack-neutron-openvswitch-1:9.4.1-40.el7ost
  • openstack-neutron-rpc-server-1:9.4.1-40.el7ost
  • openstack-neutron-sriov-nic-agent-1:9.4.1-40.el7ost
  • python-networking-bigswitch-2:9.42.14-1.el7ost
  • python-neutron-1:9.4.1-40.el7ost
  • python-neutron-lbaas-1:9.2.2-8.el7ost
  • python-neutron-lbaas-tests-1:9.2.2-8.el7ost
  • python-neutron-tests-1:9.4.1-40.el7ost
  • openstack-neutron-1:12.0.5-11.el7ost
  • openstack-neutron-common-1:12.0.5-11.el7ost
  • openstack-neutron-linuxbridge-1:12.0.5-11.el7ost
  • openstack-neutron-macvtap-agent-1:12.0.5-11.el7ost
  • openstack-neutron-metering-agent-1:12.0.5-11.el7ost
  • openstack-neutron-ml2-1:12.0.5-11.el7ost
  • openstack-neutron-openvswitch-1:12.0.5-11.el7ost
  • openstack-neutron-rpc-server-1:12.0.5-11.el7ost
  • openstack-neutron-sriov-nic-agent-1:12.0.5-11.el7ost
  • python-neutron-1:12.0.5-11.el7ost
refmap via4
bid 107390
bugtraq 20190319 [SECURITY] [DSA 4409-1] neutron security update
confirm https://security.openstack.org/ossa/OSSA-2019-001.html
debian DSA-4409
misc https://launchpad.net/bugs/1818385
mlist [oss-security] 20190318 [OSSA-2019-001] Unsupported dport option prevents applying security groups in OpenStack Neutron (CVE-2019-9735)
ubuntu USN-4036-1
Last major update 04-08-2021 - 17:15
Published 13-03-2019 - 02:29
Last modified 04-08-2021 - 17:15
Back to Top