CVE-2018-14636

CWE-3009 documents7 sources
Severity
5.3MEDIUM
EPSS
0.2%
top 57.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack NeutronTHE Openstack Project Openstack-neutron
Timeline
PublishedSep 10
Latest updateMay 13

Description

Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would pot

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages4 packages

NVDopenstack/neutron7.0.011.0.4+2
CVEListV5the_openstack_project/openstack-neutron11.0.5, 12.0.3, 13.0.0.0b2+2
PyPIneutron13.0.0.0b113.0.0.0b2+2
Debianneutron< 2:13.0.0-1+3

🔴Vulnerability Details

4
GHSA
Openstack Neutron vulnerable to eavesdropping on private traffic2022-05-13
OSV
Openstack Neutron vulnerable to eavesdropping on private traffic2022-05-13
OSV
CVE-2018-14636: Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor2018-09-10
CVEList
CVE-2018-14636: Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor2018-09-10

📋Vendor Advisories

2
Red Hat
openstack-neutron: eavesdropping private traffic due to trunk ports after live migration2018-04-27
Debian
CVE-2018-14636: neutron - Live-migrated instances are briefly able to inspect traffic for other instances ...2018

💬Community

2
Bugzilla
CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration [openstack-rdo]2018-06-25
Bugzilla
CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration2018-06-25
CVE-2018-14636 (MEDIUM CVSS 5.3) | Live-migrated instances are briefly | cvebase.io