[OSSA-2019-001] It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735)
Bug #1818385 reported by
Erik Olof Gunnar Andersson
This bug affects 3 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Security Advisory |
Fix Released
|
Critical
|
Jeremy Stanley | ||
| neutron |
Fix Released
|
Critical
|
Brian Haley | ||
Bug Description
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules.
> unknown option "--dport"
CVE References
| description: | updated |
| description: | updated |
| description: | updated |
| Changed in neutron: | |
| importance: | Undecided → Critical |
| Changed in neutron: | |
| assignee: | Brian Haley (brian-haley) → Slawek Kaplonski (slaweq) |
| Changed in neutron: | |
| assignee: | Doug Wiegley (dougwig) → Brian Haley (brian-haley) |
| summary: |
It's possible to add a security group rule for VRRP with a dport + (CVE-2019-9735) |
| tags: | added: neutron-proactive-backport-potential |
| summary: |
- It's possible to add a security group rule for VRRP with a dport - (CVE-2019-9735) + [OSSA-2019-001] It's possible to add a security group rule for VRRP with + a dport (CVE-2019-9735) |
| Changed in ossa: | |
| status: | Triaged → Fix Committed |
| Changed in ossa: | |
| status: | Fix Committed → Fix Released |
| tags: | removed: neutron-proactive-backport-potential |
| tags: | added: neutron-proactive-backport-potential |
| tags: | removed: neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
To post a comment you must log in.

Fix proposed to branch: master /review. openstack. org/640619
Review: https:/