CVE-2021-38598: 
Python vulnerability analysis and mitigation

OpenStack Neutron versions before 16.4.1, 17.x before 17.1.3, and 18.0.0 contain a hardware address impersonation vulnerability (CVE-2021-38598) when using the linuxbridge driver with ebtables-nft on Netfilter-based platforms. The vulnerability was discovered by Jake Yip from ARDC and Justin Mammarella from the University of Melbourne and was disclosed on August 23, 2021 (NVD, Ubuntu).

The vulnerability occurs due to incompatibility issues between the linuxbridge driver and ebtables-nft implementation. When a new chain is created, the FLUSH command reverts the default policy back to RETURN instead of maintaining the intended DROP policy, which breaks the ARP spoofing protection mechanism. This affects systems using ebtables-nft, such as Ubuntu Focal and CentOS Stream. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD).

By sending carefully crafted packets, an attacker with control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network. This can result in denial of service conditions or potentially allow the interception of traffic intended for other destinations (NVD, Launchpad Bug).

The vulnerability has been fixed in OpenStack Neutron versions 16.4.1, 17.1.3, and newer releases. The fix involves modifying the ARP protection commands to be compatible with ebtables-nft by ensuring proper chain creation with default DROP rules and correct rule prioritization (Launchpad Bug).