Product:

Openstack

(Redhat)
Date ID Summary Products Score Patch
2019-11-14 CVE-2019-14818 A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket, can send specially crafted VRING_SET_NUM messages, resulting in a memory leak including file descriptors. This flaw could lead to a denial of service condition. Data_plane_development_kit, Openstack, Virtualization N/A
2019-11-05 CVE-2013-6461 Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits Debian_linux, Nokogiri, Cloudforms_management_engine, Enterprise_mrg, Openstack, Satellite, Subscription_asset_manager N/A
2019-11-05 CVE-2013-6460 Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents Debian_linux, Nokogiri, Cloudforms_management_engine, Enterprise_mrg, Openstack, Satellite, Subscription_asset_manager N/A
2019-11-01 CVE-2013-2255 HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. Debian_linux, Compute, Keystone, Openstack N/A
2019-03-26 CVE-2018-16856 In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowing for information exposure. Octavia, Openstack 7.5
2018-09-10 CVE-2018-14635 When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3 and 11.0.5 are vulnerable. Neutron, Openstack 6.5
2018-09-10 CVE-2018-14620 The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP during the build stage. This could potentially allow an attacker to serve malicious code to the image builder and install in the resultant container image. Version of openstack-rabbitmq-container and openstack-containers as shipped with Red Hat Openstack 12, 13, 14 are believed to be vulnerable. Openstack 9.8
2018-07-30 CVE-2018-10898 A vulnerability was found in openstack-tripleo-heat-templates before version 8.0.2-40. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials. Tripleo_heat_templates, Openstack 8.8
2018-07-26 CVE-2017-7543 A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources. Neutron, Openstack 5.9
2018-07-26 CVE-2017-7539 An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service. Qemu, Openstack, Virtualization 7.5