| 2018-02-15 09:52:58 |
Ian Kumlien |
bug |
|
|
added bug |
| 2018-02-15 17:52:49 |
Brian Haley |
neutron: status |
New |
Confirmed |
|
| 2018-02-15 17:53:15 |
Brian Haley |
neutron: importance |
Undecided |
Critical |
|
| 2018-02-15 17:53:20 |
Brian Haley |
neutron: assignee |
|
Brian Haley (brian-haley) |
|
| 2018-02-15 17:55:40 |
Brian Haley |
bug |
|
|
added subscriber Brian Haley |
| 2018-02-15 19:01:29 |
OpenStack Infra |
neutron: status |
Confirmed |
In Progress |
|
| 2018-03-02 14:39:09 |
Thomas Morin |
bug |
|
|
added subscriber Thomas Morin |
| 2018-03-07 20:57:13 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Released |
|
| 2018-05-10 21:48:52 |
OpenStack Infra |
tags |
|
in-stable-queens |
|
| 2018-05-21 03:58:04 |
OpenStack Infra |
tags |
in-stable-queens |
in-stable-pike in-stable-queens |
|
| 2018-11-27 13:03:37 |
Edward Hope-Morley |
bug task added |
|
cloud-archive |
|
| 2018-11-27 13:03:45 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/ocata |
|
| 2018-11-27 13:03:51 |
Edward Hope-Morley |
cloud-archive: status |
New |
Fix Released |
|
| 2018-11-27 14:18:29 |
Edward Hope-Morley |
description |
We have had problems with openvswitch agent continuously restarting and never actually completing setup because of this:
# Completed by iptables_manager
; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
Error occurred at line: 83
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
---
Someone has managed to inject a rule that is, effectively, a DoS. |
[Impact]
Neutron allowed users to create security group rules that would translate to invalid iptables rules thus causing neutron to fail when it attempted to apply them. This is now fixed for >= Pike and we are backporting for Ocata.
[Test Case]
* deploy openstack ocata
* create an invalid security group rule e.g.
openstack security group rule create --protocol gre --dst-port 0:255 jmclane
* check that request is rejected with e.g.
Error while executing command: BadRequestException: Unknown error, {"NeutronError": {"message": "Invalid protocol 47 for port range, only supported for TCP, UDP, UDPLITE│·········································································································
, SCTP and DCCP.", "type": "SecurityGroupInvalidProtocolForPortRange", "detail": ""}}
[Regression Potential]
Upgrading to this patch will reject new api requests that try to create invalid rules but will not cleanup invalid rules already extant.
-----------------------------------------------------------------------------
We have had problems with openvswitch agent continuously restarting and never actually completing setup because of this:
# Completed by iptables_manager
; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
Error occurred at line: 83
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
---
Someone has managed to inject a rule that is, effectively, a DoS. |
|
| 2018-11-27 14:18:43 |
Edward Hope-Morley |
summary |
neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols |
[SRU] neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols |
|
| 2018-11-27 14:18:59 |
Edward Hope-Morley |
tags |
in-stable-pike in-stable-queens |
in-stable-pike in-stable-queens sts sts-sru-needed |
|
| 2018-11-27 14:19:37 |
Edward Hope-Morley |
attachment added |
|
lp1749667-xenial-ocata.debdiff https://bugs.launchpad.net/cloud-archive/+bug/1749667/+attachment/5216782/+files/lp1749667-xenial-ocata.debdiff |
|
| 2018-11-27 18:29:17 |
Corey Bryant |
bug task added |
|
cloud-archive/ocata |
|
| 2018-11-27 18:32:45 |
Corey Bryant |
cloud-archive/ocata: status |
New |
Triaged |
|
| 2018-11-27 18:32:51 |
Corey Bryant |
cloud-archive/ocata: importance |
Undecided |
Critical |
|
| 2018-11-27 18:39:13 |
Corey Bryant |
description |
[Impact]
Neutron allowed users to create security group rules that would translate to invalid iptables rules thus causing neutron to fail when it attempted to apply them. This is now fixed for >= Pike and we are backporting for Ocata.
[Test Case]
* deploy openstack ocata
* create an invalid security group rule e.g.
openstack security group rule create --protocol gre --dst-port 0:255 jmclane
* check that request is rejected with e.g.
Error while executing command: BadRequestException: Unknown error, {"NeutronError": {"message": "Invalid protocol 47 for port range, only supported for TCP, UDP, UDPLITE│·········································································································
, SCTP and DCCP.", "type": "SecurityGroupInvalidProtocolForPortRange", "detail": ""}}
[Regression Potential]
Upgrading to this patch will reject new api requests that try to create invalid rules but will not cleanup invalid rules already extant.
-----------------------------------------------------------------------------
We have had problems with openvswitch agent continuously restarting and never actually completing setup because of this:
# Completed by iptables_manager
; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
Error occurred at line: 83
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
---
Someone has managed to inject a rule that is, effectively, a DoS. |
[Impact]
Neutron allowed users to create security group rules that would translate to invalid iptables rules thus causing neutron to fail when it attempted to apply them. This is now fixed for >= Pike and we are backporting for Ocata.
[Test Case]
* deploy openstack ocata
* create an invalid security group rule e.g.
openstack security group rule create --protocol gre --dst-port 0:255 jmclane
* check that request is rejected with e.g.
Error while executing command: BadRequestException: Unknown error, {"NeutronError": {"message": "Invalid protocol 47 for port range, only supported for TCP, UDP, UDPLITE│·········································································································
, SCTP and DCCP.", "type": "SecurityGroupInvalidProtocolForPortRange", "detail": ""}}
[Regression Potential]
Upgrading to this patch will reject new api requests that try to create invalid rules but will not cleanup invalid rules already extant.
Note also that the backported ocata patch is unchanged from pike.
-----------------------------------------------------------------------------
We have had problems with openvswitch agent continuously restarting and never actually completing setup because of this:
# Completed by iptables_manager
; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
Error occurred at line: 83
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
---
Someone has managed to inject a rule that is, effectively, a DoS. |
|
| 2018-11-28 02:14:30 |
Corey Bryant |
cloud-archive/ocata: status |
Triaged |
Fix Committed |
|
| 2018-11-28 02:14:32 |
Corey Bryant |
tags |
in-stable-pike in-stable-queens sts sts-sru-needed |
in-stable-pike in-stable-queens sts sts-sru-needed verification-ocata-needed |
|
| 2018-11-30 18:30:31 |
Edward Hope-Morley |
tags |
in-stable-pike in-stable-queens sts sts-sru-needed verification-ocata-needed |
in-stable-pike in-stable-queens sts sts-sru-needed verification-ocata-done |
|
| 2018-12-05 13:37:57 |
Corey Bryant |
cloud-archive/ocata: status |
Fix Committed |
Fix Released |
|
