CVE-2021-38598
OpenStack Neutron vulnerable to hardware address impersonation
9.1
CRITICAL
CVSS 3.1
EPSS 0.14%
Description
OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations.
How to fix CVE-2021-38598
To remediate CVE-2021-38598, upgrade the affected package to a fixed version below.
- —upgrade to 2:17.2.1-0+deb11u1 or later
- —upgrade to 16.4.1 or later
- —upgrade to 16.4.1 or later
Is CVE-2021-38598 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2:17.2.1-0+deb11u1
- from 0, < 16.4.1
- from 0, < 16.4.1, >= 17.0.0, < 17.1.3, >= 18.0.0, < 18.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |