CVE-2019-15753

critical

Description

In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.

References

Advisories
More

https://launchpad.net/bugs/1837252

http://www.openwall.com/lists/oss-security/2019/08/29/2

https://security.openstack.org/ossa/OSSA-2019-004.html

https://review.opendev.org/678098

https://review.opendev.org/672834

Details

Source: Mitre, NVD

Published: 2019-08-28

Updated: 2020-08-24

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Severity: Critical

EPSS

EPSS: 0.00965