Your submission was sent successfully! Close

CVE-2021-38598

Published: 23 August 2021

OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations.

Priority

Medium

CVSS 3 base score: 9.1

Status

Package Release Status
neutron
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needed

hirsute Ignored
(reached end-of-life)
impish Not vulnerable
(2:18.1.0+git2021072117.147830620f-0ubuntu2)
jammy Not vulnerable
(2:18.1.0+git2021072117.147830620f-0ubuntu2)
trusty Does not exist

upstream
Released (2:18.1.0-2)
xenial Needs triage

Notes

AuthorNote
mdeslaur
This issue is fixed in (2:16.4.1-0ubuntu2) in focal-updates and
(2:18.1.0-0ubuntu2) in hirsute-updates, but they have not yet
been released to -security.

References

Bugs