2015-01-14 21:33:52 |
Armando Migliaccio |
bug |
|
|
added bug |
2015-01-14 21:33:52 |
Armando Migliaccio |
attachment added |
|
bug-fix.patch https://bugs.launchpad.net/bugs/1410984/+attachment/4298654/+files/bug-fix.patch |
|
2015-01-14 21:35:08 |
Armando Migliaccio |
summary |
Routers can be cross plugged by other tenants |
DVR Routers ports ownership can be edited |
|
2015-01-14 21:35:26 |
Armando Migliaccio |
summary |
DVR Routers ports ownership can be edited |
special routers ports' ownership can be edited |
|
2015-01-14 21:36:08 |
Armando Migliaccio |
description |
This is basically a sister bug of bug #1243327, but applies to DVR and, possibly, HA routers. This affects plugins that support DVR/HA, which right now is just ML2/OVS.
In a nutshell what happens is that check _enforce_device_owner_not_router_intf_or_device_id in [1] is skipped, instead of being forbidden.
From a data plane standpoint, since these routers work a bit differently from centralized routers, there is no actual cross plugging. In fact, since DVR routers will do the interface plugging only after a network has been attached to the router; this makes the exploit a lot more difficult to achieve, but the fix provided at least prevents malicious attempts from creative people.
[1] https://github.com/openstack/neutron/blob/stable/juno/neutron/db/db_base_plugin_v2.py#L1493 (stable/juno)
Patch applies for master attached, which applies cleanly to Juno. |
This is basically a sister bug of bug #1243327, but applies to DVR and, possibly, HA routers. This affects plugins that support DVR/HA, which right now is just ML2/OVS.
In a nutshell what happens is that check _enforce_device_owner_not_router_intf_or_device_id in [1] is skipped, instead of being forbidden.
From a data plane standpoint, since these routers work a bit differently from centralized routers, there is no actual cross plugging. In fact, since DVR routers will do the interface plugging only after a network has been attached to the router, this makes the exploit a lot more difficult to achieve, but the fix provided at least prevents malicious attempts from creative people.
[1] https://github.com/openstack/neutron/blob/stable/juno/neutron/db/db_base_plugin_v2.py#L1493 (stable/juno)
Patch applies for master attached, which applies cleanly to Juno. |
|
2015-01-14 21:50:17 |
Tristan Cacqueray |
description |
This is basically a sister bug of bug #1243327, but applies to DVR and, possibly, HA routers. This affects plugins that support DVR/HA, which right now is just ML2/OVS.
In a nutshell what happens is that check _enforce_device_owner_not_router_intf_or_device_id in [1] is skipped, instead of being forbidden.
From a data plane standpoint, since these routers work a bit differently from centralized routers, there is no actual cross plugging. In fact, since DVR routers will do the interface plugging only after a network has been attached to the router, this makes the exploit a lot more difficult to achieve, but the fix provided at least prevents malicious attempts from creative people.
[1] https://github.com/openstack/neutron/blob/stable/juno/neutron/db/db_base_plugin_v2.py#L1493 (stable/juno)
Patch applies for master attached, which applies cleanly to Juno. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
This is basically a sister bug of bug #1243327, but applies to DVR and, possibly, HA routers. This affects plugins that support DVR/HA, which right now is just ML2/OVS.
In a nutshell what happens is that check _enforce_device_owner_not_router_intf_or_device_id in [1] is skipped, instead of being forbidden.
From a data plane standpoint, since these routers work a bit differently from centralized routers, there is no actual cross plugging. In fact, since DVR routers will do the interface plugging only after a network has been attached to the router, this makes the exploit a lot more difficult to achieve, but the fix provided at least prevents malicious attempts from creative people.
[1] https://github.com/openstack/neutron/blob/stable/juno/neutron/db/db_base_plugin_v2.py#L1493 (stable/juno)
Patch applies for master attached, which applies cleanly to Juno. |
|
2015-01-14 21:50:27 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
2015-01-14 21:50:33 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
2015-01-14 21:54:09 |
Tristan Cacqueray |
bug |
|
|
added subscriber Salvatore Orlando |
2015-01-20 18:07:27 |
Armando Migliaccio |
neutron: assignee |
|
Armando Migliaccio (armando-migliaccio) |
|
2015-02-06 00:20:58 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
2015-02-06 00:21:09 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
2015-02-06 03:20:36 |
Armando Migliaccio |
neutron: importance |
Undecided |
High |
|
2015-02-06 03:20:43 |
Armando Migliaccio |
tags |
|
l3-dvr-backlog |
|
2015-02-06 03:27:28 |
OpenStack Infra |
neutron: status |
New |
In Progress |
|
2015-02-07 02:01:26 |
Armando Migliaccio |
tags |
l3-dvr-backlog |
juno-backport-potential l3-dvr-backlog |
|
2015-02-07 02:01:32 |
Armando Migliaccio |
neutron: milestone |
|
kilo-3 |
|
2015-02-10 06:08:29 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Committed |
|
2015-02-10 13:57:20 |
Armando Migliaccio |
tags |
juno-backport-potential l3-dvr-backlog |
l3-dvr-backlog |
|
2015-03-19 16:27:51 |
Thierry Carrez |
neutron: status |
Fix Committed |
Fix Released |
|
2015-04-30 09:44:09 |
Thierry Carrez |
neutron: milestone |
kilo-3 |
2015.1.0 |
|
2020-02-27 23:59:44 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
This is basically a sister bug of bug #1243327, but applies to DVR and, possibly, HA routers. This affects plugins that support DVR/HA, which right now is just ML2/OVS.
In a nutshell what happens is that check _enforce_device_owner_not_router_intf_or_device_id in [1] is skipped, instead of being forbidden.
From a data plane standpoint, since these routers work a bit differently from centralized routers, there is no actual cross plugging. In fact, since DVR routers will do the interface plugging only after a network has been attached to the router, this makes the exploit a lot more difficult to achieve, but the fix provided at least prevents malicious attempts from creative people.
[1] https://github.com/openstack/neutron/blob/stable/juno/neutron/db/db_base_plugin_v2.py#L1493 (stable/juno)
Patch applies for master attached, which applies cleanly to Juno. |
This is basically a sister bug of bug #1243327, but applies to DVR and, possibly, HA routers. This affects plugins that support DVR/HA, which right now is just ML2/OVS.
In a nutshell what happens is that check _enforce_device_owner_not_router_intf_or_device_id in [1] is skipped, instead of being forbidden.
From a data plane standpoint, since these routers work a bit differently from centralized routers, there is no actual cross plugging. In fact, since DVR routers will do the interface plugging only after a network has been attached to the router, this makes the exploit a lot more difficult to achieve, but the fix provided at least prevents malicious attempts from creative people.
[1] https://github.com/openstack/neutron/blob/stable/juno/neutron/db/db_base_plugin_v2.py#L1493 (stable/juno)
Patch applies for master attached, which applies cleanly to Juno. |
|