(CVE-2015-5240) Neutron firewall rules bypass through port update
Bug #1489958 reported by
Alexander Ignatov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Committed
|
High
|
Alexander Ignatov | ||
5.1.x |
Fix Released
|
High
|
Denis Puchkin | ||
6.0.x |
Fix Released
|
High
|
Denis Puchkin | ||
6.1.x |
Fix Released
|
High
|
Denis Puchkin | ||
7.0.x |
Fix Released
|
High
|
Alexander Ignatov |
Bug Description
This patch to backport fix for this CVE.
Original description
=======
Kevin Benton from Mirantis reported a vulnerability in Neutron. By
changing the device owner of an instance's port right after it is
created, an authenticated user may prevent application of firewall rules
and so avoid IP anti-spoofing controls. All Neutron setups using the ML2
plugin or a plugin that relies on the security groups AMQP API are affected.
CVE References
information type: | Private Security → Public Security |
tags: | added: on-verification |
tags: | added: on-automation |
tags: | added: feature-security |
To post a comment you must log in.
verify on: version: "2015.1.0-7.0" 5b37608c787944d 1983f543aa8" fuelclient_ sha: "486bde57cda1ba db68f915f66c61b 544108606f3" e9085ff71d2950c fbcca91af67" nailgun- agent_sha: "d7027952870a35 db8dc52f185bb11 58cdd3d1ebd" 781c809db915992 7655ced5012" 0dc53b43825dc4c 8f7780be9dd" c3a0abd6af9f31e 5b4d150a11c" 284a2e4761be7a1 56bb5627677"
VERSION:
feature_groups:
- mirantis
production: "docker"
release: "7.0"
openstack_
api: "1.0"
build_number: "301"
build_id: "301"
nailgun_sha: "4162b0c15adb42
python-
fuel-agent_sha: "50e90af6e3d560
fuel-
astute_sha: "6c5b73f93e24cc
fuel-library_sha: "5d50055aeca1dd
fuel-ostf_sha: "2cd967dccd66cf
fuelmain_sha: "a65d453215edb0
vlan+neutron, 3 controllers, 2 compute
Steps: create new user with member role, create as admin shared network. Log in as member user, create port in shared network, try to update it. Result: neutron port-update d666ec3b- f2c2-4a46- 9497-4d9ecc70e3 a1 --device_owner "network:dhcp" port:device_ owner) to be performed
Policy doesn't allow (rule:update_port and rule:update_