Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

   Moderate: openstack-neutron security, bug fix, and enhancement update
                              23 January 2014


        AusCERT Security Bulletin Summary

Product:           openstack-neutron
Publisher:         Red Hat
Operating System:  Red Hat
                   Linux variants
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-6419  

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running openstack-neutron check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Moderate: openstack-neutron security, bug fix, and enhancement update
Advisory ID:       RHSA-2014:0091-01
Product:           Red Hat OpenStack
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0091.html
Issue date:        2014-01-22
CVE Names:         CVE-2013-6419 

1. Summary:

Updated openstack-neutron packages that fix one security issue, several
bugs, and add various enhancements are now available for Red Hat Enterprise
Linux OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

OpenStack 4 - noarch

3. Description:

The openstack-neutron packages provide Openstack Networking (neutron), the
virtual network service.

It was discovered that the metadata agent in OpenStack Networking was
missing an authorization check on the device ID that is bound to a specific
port. A remote tenant could guess the instance ID bound to a port and
retrieve metadata of another tenant, resulting in information disclosure.
Note that only OpenStack Networking setups running neutron-metadata-agent
were affected. (CVE-2013-6419)

Red Hat would like to thank Jeremy Stanley of the OpenStack Project for
reporting this issue. Upstream acknowledges Aaron Rosen of VMware as the
original reporter.

The openstack-neutron packages have been upgraded to upstream version
2013.2.1, which provides a number of bug fixes and enhancements over the
previous version. The most notable fixes and enhancements are:

* Support for multiple workers in the Neutron API. This can be achieved by
  setting the 'workers=' parameter in the neutron.conf file.

* The downtime and report interval default settings are tuned for
  neutron agents.

* The floating IP address stability has been enhanced.

* A heartbeat-related deadlock problem in neutron-server has been fixed.


This update also fixes the following bugs:

* An incorrect warning was displayed when running neutron-dhcp-agent with
Red Hat Enterprise Linux's version of dnsmasq. This meant that users were
incorrectly warned that Red Hat Enterprise Linux's dnsmasq version will not
work with neutron-dhcp-agent. This warning has been removed, and will no
longer be logged to the neutron-dhcp-agent log file. (BZ#1040196)

* A bug in the QPID topic consumer re-connection logic (under the v2
topology) caused qpidd to use a malformed subscriber address after
restarting, resulting in RPC requests sent to a topic with multiple servers
ending up being incorrectly multicast to all servers. This update removes
the special-case reconnect logic that handles UUID addresses, which in turn
avoids the incorrect establishment of multiple subscription to the same
fanout address. The QPID broker now simply automatically generates unique
queue names when clients reconnect. (BZ#1045067)

* Thread-consuming QPID messages were killed silently by unhandled errors,
thus resulting in isolating the component from the rest of the system.
With this update, consuming threads are made more resilient to errors by
ensuring they do not die on an unhandled error. The error is now logged,
and the consuming thread is retried. (BZ#1054249)

In addition, this update adds the following enhancement:

* Previously, instances connected to tenant networks gained outside
connectivity by going through an SNAT by the L3 agent hosting that
network's virtual router. With this release, the ability to disable
SNAT/PAT on virtual servers is added ensuring that an instance in a tenant
network subnet will retain its IP address as it passes through external
networks. For example, if is an instance in the tenant
network, R1, a virtual router that connects the subnet to the public provider networks, then you can use the 'neutron
router-gateway-set --disable-snat R1 public' command and any traffic from, which is forwarded out to the provider network, will retain its
actual source IP address of This can be a flexible and useful
method to connect instances directly to a provider network, while retaining
it in a tenant network. (BZ#1046070)

All openstack-neutron users are advised to upgrade to these updated
packages, which correct these issues and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

5. Bugs fixed (https://bugzilla.redhat.com/):

1038737 - neutron is creating duplicated NAT rules, resulting in instances without network connection
1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant
1039528 - Neutron rootwrap does not follow packaging guidelines
1040196 - Remove dnsmasq version warning for dhcp-agent on RHEL
1045067 - [oslo] With QPID, RPC calls to a topic are always fanned-out to all subscribers.
1046070 - Configurable External Gateway Modes
1046087 - The error message that indicates manual DB stamping is needed is not clear enough
1054249 - Thread consuming qpid messages can die silently

6. Package List:

OpenStack 4:



These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
Version: GnuPG v1.4.4 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967