dangerous secgroup rule created when the "SourceSecurityGroupName" property string doesn't refer to an existing security group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Zane Bitter | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Nathan Kinder |
Bug Description
Given the following resources in a template:
"WikiDataba
"Type" : "AWS::EC2:
"Properties" : {
]
}
},
"WebServerS
"Type" : "AWS::EC2:
"Properties" : {
]
}
},
If, the string WebServerSecuri
IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| icmp | -1 | -1 | 10.1.1.0/24 | |
| tcp | 80 | 80 | 10.1.1.0/24 | |
| tcp | 22 | 22 | 10.1.1.0/24 | |
| tcp | 3306 | 3306 | 0.0.0.0/0 | |
+------
Of course this is not the behaviour that the user expected and no warning is thrown.
The correct syntax in this case would be to use '"SourceSecurit
The fact that it creates a rule with source IP 0.0.0.0/0 unbeknownst to the user is dangerous.
If the string does not refer to the name of an existing security group than an error should be thrown.
Changed in ossa: | |
status: | New → Incomplete |
Changed in heat: | |
assignee: | nobody → Zane Bitter (zaneb) |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in ossn: | |
assignee: | nobody → Nathan Kinder (nkinder) |
Changed in ossn: | |
importance: | Undecided → High |
Changed in ossn: | |
status: | New → In Progress |
Changed in heat: | |
milestone: | icehouse-rc1 → 2014.1 |
Can you see potential for this affecting OS::Neutron: :SecurityGroup too?