kolla-ansible

Exploitable services exposed on community test nodes

Bug #1749326 reported by Jeremy Stanley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Critical
Unassigned

Bug Description

One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following:

kolla-ansible-oraclelinux-binary
kolla-ansible-oraclelinux-source
kolla-ansible-oraclelinux-source-ceph

Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally-routable interfaces, whatever works). Thanks!

Tags: security
Jeremy Stanley (fungi)
tags: added: security
Michał Jastrzębski (inc007)
Changed in kolla-ansible:
importance: Undecided → High
status: New → Confirmed
Jeffrey Zhang (jeffrey4l)
Changed in kolla-ansible:
importance: High → Critical
Revision history for this message
Jeremy Stanley (fungi) wrote :

Any update on the state of this? It's really pretty urgent. An example of _why_ it's a problem: http://www.openwall.com/lists/oss-security/2018/03/02/1

Revision history for this message
Jeffrey Zhang (jeffrey4l) wrote :

we are trying to use iptables to prevent other IP to connect the memcached port.

I think in devstack, it has the same issue, how it avoid the issue?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/550325

Revision history for this message
Jeremy Stanley (fungi) wrote :

We preinstall restrictive iptables rulesets on our images when building them via http://git.openstack.org/cgit/openstack-infra/project-config/tree/nodepool/elements/nodepool-base/install.d/20-iptables and devstack configures keystone's memcached_servers setting to localhost:11211 so that it traverses the loopback interface rather than an externally-reachable address.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla-ansible (master)

Change abandoned by Jeffrey Zhang (jeffrey.zhang@99cloud.net) on branch: master
Review: https://review.openstack.org/550325
Reason: check https://review.openstack.org/#/c/549715/1

Revision history for this message
Paul Bourke (pauldbourke) wrote :

Hi Jeremy, thanks for the link. I'm going to look at adding these rules to kolla tomorrow, will update here asap.

Revision history for this message
Jeremy Stanley (fungi) wrote :

It's worth noting that all the test nodes on which jobs run boot up with the rules I linked above already applied. If memcached or other services are being exposed on reachable interfaces of the node then it can only be because you're altering or tearing down the existing iptables ruleset.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.openstack.org/550821
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=404d4d0a50f292b1fd6e916cf80813b260621840
Submitter: Zuul
Branch: master

commit 404d4d0a50f292b1fd6e916cf80813b260621840
Author: Paul Bourke <email address hidden>
Date: Thu Mar 8 12:55:05 2018 +0000

    Use zuul firewall rules in gate

    Till now we've been flusing iptables in the gates to allow cross node
    communication in the multi node ceph jobs. This raised security
    concerns, in particular it exposed memcached to the external net.

    This patch uses the infra provided role 'multi-node-firewall' in order
    to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey
    for help with this.

    Closes-Bug: #1749326
    Change-Id: Iafaf1cf1d9b0227b0f869969d0bd52fbde3791a0

Changed in kolla-ansible:
status: Confirmed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 7.0.0.0b2

This issue was fixed in the openstack/kolla-ansible 7.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.