CVE-2017-7543
Description
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in openstack-neutron, triggered during minor overcloud updates, resets bridge-nf-call sysctls to 0, disabling security groups and exposing tenant networks.
Vulnerability
A race-condition flaw exists in openstack-neutron where, during a minor overcloud update, the kernel parameters net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables are reset to 0. This disables iptables filtering for bridged traffic, effectively disabling neutron security groups. The vulnerability affects openstack-neutron versions before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1 [1][2].
Exploitation
An attacker does not require authentication or special privileges; the race is only triggered by the update process itself. When a system administrator performs a minor overcloud update on affected OpenStack deployments, the race condition may cause the bridge-nf-call sysctls to be reset. During the window between the update and the restoration of these settings (or if they are not restored), an attacker on the same network segment can access tenant virtual machines (VMs) and network resources that would normally be protected by security group rules [1][2]. No user interaction from the victim is needed beyond the administrator applying the update.
Impact
Successful exploitation allows an attacker to bypass neutron security group filtering, resulting in unauthorized network access to tenant VMs and resources. This can lead to information disclosure, potential data modification, or further lateral movement within the cloud environment. The compromise occurs at the network isolation layer, effectively nullifying the security group protections intended by the OpenStack deployment [1][2][3][4].
Mitigation
Red Hat released security updates for Red Hat Enterprise Linux OpenStack Platform versions 6.0 (Juno) and 7.0 (Kilo) on 2017-08-08 under RHSA-2017:2452 and RHSA-2017:2450, respectively [3][4]. The fixed versions are: openstack-neutron-2014.2.3-42.el7ost for Juno and openstack-neutron-2015.1.4-16.1.el7ost for Kilo [3][4]. Administrators should apply these updates and ensure that the net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables sysctls are set to 1 and persisted after updates. No workarounds other than patching are documented. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neutronPyPI | < 7.2.0-12.1 | 7.2.0-12.1 |
neutronPyPI | >= 8.0.0, < 8.3.0-11.1 | 8.3.0-11.1 |
neutronPyPI | >= 9.0.0, < 9.3.1-2.1 | 9.3.1-2.1 |
neutronPyPI | >= 10.0.0, < 10.0.2-1.1 | 10.0.2-1.1 |
Affected products
2- Red Hat/openstack-neutronv5Range: openstack-neutron-10.0.2-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- access.redhat.com/errata/RHSA-2017:2447ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2017:2448ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2017:2449ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2017:2450ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2017:2451ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2017:2452ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-hvxr-2fvv-c3wqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7543ghsaADVISORY
- www.securityfocus.com/bid/100237mitrevdb-entryx_refsource_BID
- access.redhat.com/security/cve/CVE-2017-7543ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- opendev.org/openstack/neutronghsaPACKAGE
- web.archive.org/web/20200227153412/https://www.securityfocus.com/bid/100237ghsaWEB
News mentions
0No linked articles in our index yet.