neutron

DNS available externally on provider network

Bug #1798351 reported by Ian Kumlien on 2018-10-17

This bug report is a duplicate of: Bug #1501206: router:dhcp ports are open resolvers. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
	neutron	New	Undecided	Unassigned

Bug Description

DNS is open for everyone on our external provider network and this can be used to do a amplification attack.

Shouldn't this access at least be filtered for external parties?

Tested on openstack pike

Revision history for this message

Jeremy Stanley (fungi) wrote on 2018-10-17:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description:	updated
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-02-27:

In keeping with recent OpenStack vulnerability management policy changes, no report should remain under private embargo for more than 90 days. Because this report predates the change in policy, the deadline for public disclosure is being set to 90 days from today. If the report is not resolved within the next 90 days, it will revert to our public workflow as of 2020-05-27. Please see http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012721.html for further details.