[OSSA-2019-001] It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735)
Bug #1818385 reported by
Erik Olof Gunnar Andersson
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
Critical
|
Jeremy Stanley | ||
neutron |
Fix Released
|
Critical
|
Brian Haley |
Bug Description
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules.
> unknown option "--dport"
CVE References
description: | updated |
description: | updated |
description: | updated |
Changed in neutron: | |
importance: | Undecided → Critical |
Changed in neutron: | |
assignee: | Brian Haley (brian-haley) → Slawek Kaplonski (slaweq) |
Changed in neutron: | |
assignee: | Doug Wiegley (dougwig) → Brian Haley (brian-haley) |
summary: |
It's possible to add a security group rule for VRRP with a dport + (CVE-2019-9735) |
tags: | added: neutron-proactive-backport-potential |
summary: |
- It's possible to add a security group rule for VRRP with a dport - (CVE-2019-9735) + [OSSA-2019-001] It's possible to add a security group rule for VRRP with + a dport (CVE-2019-9735) |
Changed in ossa: | |
status: | Triaged → Fix Committed |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
tags: | removed: neutron-proactive-backport-potential |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/640619
Review: https:/