CVE-2019-15753 Information

Description

In OpenStack os-vif 1.15.x before 1.15.2 and 1.16.0 a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge forcing obligatory Ethernet flooding of non-local destinations which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Reference

http://www.openwall.com/lists/oss-security/2019/08/29/2 https://launchpad.net/bugs/1837252 https://review.opendev.org/672834 https://review.opendev.org/678098 https://security.openstack.org/ossa/OSSA-2019-004.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

HIGH

Base Severity

9.1