Mirantis OpenStack

Neutron L2 agent DoS through incorrect allowed address pairs (CVE-2015-3221)

Bug #1466490 reported by Alexander Ignatov
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Critical
Alexander Ignatov
Mirantis OpenStack 7.0
6.0.x
Fix Released
Critical
MOS Maintenance
Mirantis OpenStack 6.0-mu-4
6.1.x
Fix Released
Critical
Alexander Nevenchannyy
Mirantis OpenStack 6.1-mu-1
7.0.x
Fix Released
Critical
Alexander Ignatov
Mirantis OpenStack 7.0

Bug Description

This is [pre-OSSA] Vulnerability in OpenStack Neutron (CVE-2015-3221)

Title: Neutron L2 agent DoS through incorrect allowed address pairs
Reporter: Darragh O'Reilly (HP)
Products: Neutron
Affects: 2014.2 versions through 2014.2.3 and 2015.1.0 version

Description:
Darragh O'Reilly from HP reported a vulnerability in Neutron. By adding
an address pair which is rejected as invalid by the ipset tool, an
authenticated user may crash the Neutron L2 agent resulting in a denial
of service attack. Neutron setups using the IPTables firewall driver are
affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/juno, stable/kilo and master on the public
disclosure date.

CVE: CVE-2015-3221

Proposed public disclosure date/time:
2015-06-23, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

CVE References

Dmitry Mescheryakov (dmitrymex)
Changed in mos:
milestone: none → 6.1
importance: High → Critical
Revision history for this message
Alexander Nevenchannyy (anevenchannyy) wrote :

Change request for 6.0-updates branch https://review.fuel-infra.org/#/c/8287/

Vitaly Sedelnik (vsedelnik)
tags: added: 6.1-mu-1
Revision history for this message
Alexander Nevenchannyy (anevenchannyy) wrote :

We are don't need testing scenario for this issue, because this behavior are validated by unit tests. Please see https://review.fuel-infra.org/#/c/8287/1/neutron/tests/unit/test_extension_allowedaddresspairs.py

Vitaly Sedelnik (vsedelnik)
information type: Private Security → Public Security
Revision history for this message
Kristina Berezovskaia (kkuznetsova) wrote :

Verify for 7.0 on
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "7.0"
  openstack_version: "2015.1.0-7.0"
  api: "1.0"
  build_number: "98"
  build_id: "2015-07-27_09-24-22"
  nailgun_sha: "d5c19f6afc66b5efe3c61ecb49025c1002ccbdc6"
  python-fuelclient_sha: "58c411d87a7eaf0fd6892eae2b5cb1eff4190c98"
  fuel-agent_sha: "2a65f11c10b0aeb5184247635a19740fc3edde21"
  astute_sha: "34e0493afa22999c4a07d3198ceb945116ab7932"
  fuel-library_sha: "39c3162ee2e2ff6e3af82f703998f95ff4cc2b7a"
  fuel-ostf_sha: "94a483c8aba639be3b96616c1396ef290dcc00cd"
  fuelmain_sha: "921918a3bd3d278431f35ad917989e46b0c24100"

I did manually this test https://review.fuel-infra.org/#/c/8287/1/neutron/tests/unit/test_extension_allowedaddresspairs.py: create port with MAC 00:00:00:00:00:01 and address_pair 0.0.0.0/0. Port was created successfully without traces in logs. I also tried to create ports from review (0.0.0.0/1 and 128.0.0.1/1) and they also were created successfully

Fix Committed -> Fix Released

tags: added: on-verification
tags: removed: on-verification
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on patching-tests (stable/6.1)

Change abandoned by Alex Ermolov <email address hidden> on branch: stable/6.1
Review: https://review.fuel-infra.org/9320
Reason: Doesn't make sense anymore

Adam Heczko (aheczko-mirantis)
tags: added: feature-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.