
DescriptionAn issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs926502

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
neutron (PTS)buster, buster (security)2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1fixed
bullseye, bullseye (security)2:17.2.1-0+deb11u1fixed
sid, trixie2:24.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
neutronsourcejessie(not affected)
neutronsourcestretch(not affected)


[stretch] - neutron <not-affected> (Vulnerable code introduced later; Around Pike Openstack release)
[jessie] - neutron <not-affected> (Vulnerable code introduced later; Around Pike Openstack release)

Search for package or bug name: Reporting problems