special routers ports' ownership can be edited
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
High
|
Armando Migliaccio |
Bug Description
This is basically a sister bug of bug #1243327, but applies to DVR and, possibly, HA routers. This affects plugins that support DVR/HA, which right now is just ML2/OVS.
In a nutshell what happens is that check _enforce_
From a data plane standpoint, since these routers work a bit differently from centralized routers, there is no actual cross plugging. In fact, since DVR routers will do the interface plugging only after a network has been attached to the router, this makes the exploit a lot more difficult to achieve, but the fix provided at least prevents malicious attempts from creative people.
[1] https:/
Patch applies for master attached, which applies cleanly to Juno.
Changed in neutron: | |
assignee: | nobody → Armando Migliaccio (armando-migliaccio) |
Changed in neutron: | |
importance: | Undecided → High |
tags: | added: l3-dvr-backlog |
tags: | added: juno-backport-potential |
Changed in neutron: | |
milestone: | none → kilo-3 |
tags: | removed: juno-backport-potential |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | kilo-3 → 2015.1.0 |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.