CVE-2019-9735

Publication date 12 March 2019

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)

Status

Show unmaintained releases

Package	Ubuntu Release	Status
neutron	19.04 disco	Not affected
	18.10 cosmic	Fixed 2:13.0.2-0ubuntu3.4
	18.04 LTS bionic	Fixed 2:12.0.6-0ubuntu1
	16.04 LTS xenial	Fixed 2:8.4.0-0ubuntu7.4
	14.04 LTS trusty	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
neutron	Upstream: https://review.openstack.org/640685 Upstream: https://review.openstack.org/640702 Upstream: https://review.openstack.org/640790 Upstream: https://review.openstack.org/640791

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

USN-4036-1
OpenStack Neutron vulnerability
25 June 2019