CVE-2015-5240 — OpenStack Neutron Race condition vulnerability

Description

Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.

How to fix CVE-2015-5240

To remediate CVE-2015-5240, upgrade the affected package to a fixed version below.

Debian/neutron—upgrade to 1:7.0.0-1 or later
PyPI/neutron—upgrade to 7.0.0 or later

Is CVE-2015-5240 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1:7.0.0-1
from 0, < 7.0.0

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5240
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-5240
PATCHgithub.com/openstack/neutron
WEBrhn.redhat.com/errata/RHSA-2015-1909.html
WEB