CVE-2021-20267
Description
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch driver are affected. Source: OpenStack project. Versions before openstack-neutron 15.3.3, openstack-neutron 16.3.1 and openstack-neutron 17.1.1 are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenStack Neutron default Open vSwitch firewall rules allow IPv6 address spoofing, enabling denial of service and potential traffic interception.
Vulnerability
A flaw exists in OpenStack Neutron's default Open vSwitch firewall rules (Open vSwitch driver only). By sending carefully crafted packets, an attacker in control of a server instance connected to the virtual switch can impersonate IPv6 addresses of other systems on the network. Affected versions include openstack-neutron before 15.3.3, before 16.3.1, and before 17.1.1 [1][4].
Exploitation
An attacker must have control of a server instance connected to a virtual switch using the Open vSwitch driver. No special network position is required beyond being on the same virtual switch. By crafting specific packets, the attacker can spoof IPv6 addresses, effectively bypassing the anti-spoofing rules intended to prevent such behavior [1][4].
Impact
Successful exploitation results in denial of service or, in some cases, interception of traffic intended for other destinations. The attacker can impersonate other systems on the network, leading to potential information disclosure or disruption [1].
Mitigation
Fixed versions: openstack-neutron 15.3.3, 16.3.1, and 17.1.1 (released around May-June 2021) [1]. Red Hat noted that no mitigation was available at the time of disclosure for affected products, and the fix was included in later packages (e.g., openstack-neutron-12.1.1-44.el7ost for OSP-13) [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neutronPyPI | >= 16.0.0, < 16.3.1 | 16.3.1 |
neutronPyPI | < 15.3.3 | 15.3.3 |
neutronPyPI | >= 17.0.0, < 17.1.1 | 17.1.1 |
Affected products
2- OpenStack project/openstack-neutrondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-w8hx-f868-pvchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-20267ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/neutron/PYSEC-2021-136.yamlghsaWEB
- security.openstack.org/ossa/OSSA-2021-001.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.