Vulnerability Name:

CVE-2014-6414 (CCN-95976)

Assigned:2014-09-15
Published:2014-09-15
Updated:2018-10-19
Summary:OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2014-6414

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1686

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1785

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1786

Source: CCN
Type: oss-security Mailing List, Tue, 16 Sep 2014 00:58:43 +1000
CVE request for vulnerability in OpenStack Neutron

Source: CCN
Type: oss-security Mailing List, Mon, 15 Sep 2014 13:34:34 -0400 (EDT)
Re: CVE request for vulnerability in OpenStack Neutron

Source: SECUNIA
Type: Third Party Advisory
62299

Source: CCN
Type: IBM Security Bulletin 1022027
IBM Cloud Manager with OpenStack Keystone and Neutron Vulnerabilities (CVE-2014-3621, CVE-2014-6414)

Source: CCN
Type: IBM Security Bulletin 1022028
IBM SmartCloud Entry Keystone and Neutron Vulnerabilities (CVE-2014-3621, CVE-2014-6414)

Source: CCN
Type: IBM Security Bulletin N1020613
IBM PowerVC is Impacted by OpenStack Neutron Policy Admin-Only Rules Security Bypass (CVE-2014-6414)

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20140916 CVE request for vulnerability in OpenStack Neutron

Source: CCN
Type: BID-69807
OpenStack Neutron Security Bypass Vulnerability

Source: UBUNTU
Type: Third Party Advisory
USN-2408-1

Source: CCN
Type: Launchpad Bug #1357379
policy admin_only rules not enforced when changing value to default

Source: CONFIRM
Type: Patch, Third Party Advisory
https://bugs.launchpad.net/neutron/+bug/1357379

Source: XF
Type: UNKNOWN
neutron-cve20146414-sec-bypass(95976)

Source: CCN
Type: Openstack Web site
Neutron

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openstack:neutron:*:*:*:*:*:*:*:* (Version >= 2013.2 and <= 2013.2.4)
  • OR cpe:/a:openstack:neutron:*:*:*:*:*:*:*:* (Version >= 2014.1 and < 2014.1.2)
  • OR cpe:/a:openstack:neutron:*:*:*:*:*:*:*:* (Version >= 2014.2 and <= 2014.2.4)

    • Configuration 2:
  • cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openstack:neutron:2013.1:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:neutron:2014.1:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:powervc:1.2.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:powervc:1.2.1.0:-:-:-:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20146414
    V
    		CVE-2014-6414
    2022-05-22
    oval:org.opensuse.security:def:55239
    P
    		Security update for openexr (Important)
    2021-09-02
    oval:org.opensuse.security:def:5085
    P
    		Security update for webkit2gtk3 (Important)
    2021-08-03
    oval:org.opensuse.security:def:5072
    P
    		Security update for arpwatch (Important)
    2021-06-28
    oval:org.opensuse.security:def:55922
    P
    		Security update for libgcrypt (Important)
    2021-06-24
    oval:org.opensuse.security:def:5745
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:5063
    P
    		Security update for webkit2gtk3 (Important)
    2021-06-17
    oval:org.opensuse.security:def:5054
    P
    		Security update for MozillaFirefox (Important)
    2021-06-08
    oval:org.opensuse.security:def:5723
    P
    		Security update for snakeyaml (Important)
    2021-06-07
    oval:org.opensuse.security:def:5021
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:11253
    P
    		openstack-neutron-2014.2.2.dev26-3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4902
    P
    		Security update for virt-bootstrap (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:4996
    P
    		Security update for php7 (Important)
    2020-12-02
    oval:org.opensuse.security:def:4794
    P
    		Security update for nginx (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:4887
    P
    		Security update for xen (Important)
    2020-12-02
    oval:org.opensuse.security:def:4921
    P
    		Security update for skopeo (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:4772
    P
    		Security update for openssh (Important)
    2020-12-02
    oval:org.opensuse.security:def:4840
    P
    		Security update for squid (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:4764
    P
    		Security update for ovmf (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:56315
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:55099
    P
    		emacs on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56481
    P
    		Security update for libwpd (Important)
    2020-12-01
    oval:org.opensuse.security:def:55477
    P
    		Security update for glibc (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55076
    P
    		coolkey on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56600
    P
    		Security update for libvirt (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55756
    P
    		Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56207
    P
    		Security update for samba (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55077
    P
    		coreutils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56407
    P
    		Security update for java-1_7_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:56519
    P
    		Security update for java-1_7_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:55650
    P
    		Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr, mozilla-nss (Important)
    2020-12-01
    oval:org.mitre.oval:def:28174
    P
    		USN-2408-1 -- OpenStack Neutron vulnerability
    2014-12-29
    oval:com.ubuntu.trusty:def:20146414000
    V
    		CVE-2014-6414 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-10-02
    BACK
    openstack neutron *
    openstack neutron *
    openstack neutron *
    canonical ubuntu linux 14.04
    openstack neutron 2013.1
    openstack neutron 2014.1
    ibm powervc 1.2.0.0
    ibm powervc 1.2.1.0 -