On new port, traffic flow is allowed before security groups are programmed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Low
|
Kevin Benton |
Bug Description
Description:
During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed.
File: neutron/
Funtion: process_
Step-by-step:
During the creation of a neutron port, the following calls are made:
- treat_devices_
- sg_agent.
- _bind_devices
Before early November, process_
Bug #1512636 reversed this order of operation, so that _bind_devices is called before sg_agent.
Proposed solution:
Revert bug# 1512636
Changed in neutron: | |
assignee: | nobody → Kevin Benton (kevinbenton) |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → mitaka-3 |
tags: | added: security |
Changed in neutron: | |
milestone: | mitaka-3 → mitaka-2 |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
How big is the window when port is not filtered ?