6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9735

GHSA ID

GHSA-9773-3fqg-8w25

EPSS Score

0.82868%

CWE

CWE-755

Published

5/13/2022

Updated

10/3/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-9735

CVE-2019-9735: OpenStack Neutron's unsupported dport option prevents applying security groups

An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9735

GHSA ID

GHSA-9773-3fqg-8w25

EPSS Score

0.82868%

CWE

CWE-755

Published

5/13/2022

Updated

10/3/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
neutron	pip	< 10.0.8	10.0.8
neutron	pip	>= 11.0.0, < 11.0.7	11.0.7
neutron	pip	>= 12.0.0, < 12.0.6	12.0.6
neutron	pip	>= 13.0.0, < 13.0.3	13.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation of protocol-port compatibility when generating iptables rules. The primary issue lies in the iptables driver's rule construction logic (_build_rule), which appended '--dport' without verifying protocol support (e.g., VRRP). The secondary issue is in the security group processing layer (_process_security_group_rule), which did not filter invalid rules before passing them to the firewall driver. Patches addressed these by adding protocol-specific checks and omitting '--dport' where unsupported. The high confidence for _build_rule is based on direct linkage to iptables command generation, while _process_security_group_rule is marked medium due to indirect involvement in validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** ipt**l*s *ir*w*ll mo*ul* in Op*nSt**k N*utron ***or* **.*.*, **.x ***or* **.*.*, **.x ***or* **.*.*, *n* **.x ***or* **.*.*. *y s*ttin* * **stin*tion port in * s**urity *roup rul* *lon* wit* * proto*ol t**t *o*sn't supp

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* proto*ol-port *omp*ti*ility w**n **n*r*tin* ipt**l*s rul*s. T** prim*ry issu* li*s in t** ipt**l*s *riv*r's rul* *onstru*tion lo*i* (_*uil*_rul*), w*i** *pp*n*** '--*port' wit*out v*ri*yin* proto*ol

6.5

Basic Information

Concerned about an active attack path?

CVE-2019-9735: OpenStack Neutron's unsupported dport option prevents applying security groups

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI