2019-03-03 04:44:00 |
Erik Olof Gunnar Andersson |
bug |
|
|
added bug |
2019-03-03 04:45:21 |
Erik Olof Gunnar Andersson |
description |
This command should be invalid, but Neutron (Rocky) allows it to be created. Since iptables does not allow dst-port being passed.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
It would trigger the following error on the compute site.
> unknown option "--dport"
I would create this as a security vulnerability, but it's already been mentioned on IRC. |
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute.
> unknown option "--dport"
I would have created this as a security vulnerability, but it's already been mentioned on IRC. |
|
2019-03-03 05:38:35 |
OpenStack Infra |
neutron: status |
New |
In Progress |
|
2019-03-03 05:38:35 |
OpenStack Infra |
neutron: assignee |
|
Doug Wiegley (dougwig) |
|
2019-03-03 19:21:15 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2019-03-03 19:21:35 |
Jeremy Stanley |
neutron: status |
In Progress |
Incomplete |
|
2019-03-03 19:22:07 |
Jeremy Stanley |
neutron: status |
Incomplete |
In Progress |
|
2019-03-03 19:22:11 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2019-03-03 19:25:15 |
Jeremy Stanley |
information type |
Public |
Public Security |
|
2019-03-03 19:42:00 |
Erik Olof Gunnar Andersson |
description |
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute.
> unknown option "--dport"
I would have created this as a security vulnerability, but it's already been mentioned on IRC. |
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute.
> unknown option "--dport" |
|
2019-03-03 19:42:34 |
Erik Olof Gunnar Andersson |
description |
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute.
> unknown option "--dport" |
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules.
> unknown option "--dport" |
|
2019-03-04 07:28:18 |
Dr. Jens Harbott |
bug |
|
|
added subscriber Dr. Jens Harbott |
2019-03-04 09:45:38 |
Slawek Kaplonski |
neutron: importance |
Undecided |
Critical |
|
2019-03-05 03:55:38 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
2019-03-05 03:55:41 |
Tristan Cacqueray |
ossa: importance |
Undecided |
Critical |
|
2019-03-07 02:33:16 |
Marcin Kosobucki |
bug |
|
|
added subscriber Marcin Kosobucki |
2019-03-08 20:34:32 |
OpenStack Infra |
neutron: assignee |
Doug Wiegley (dougwig) |
Brian Haley (brian-haley) |
|
2019-03-09 22:04:45 |
OpenStack Infra |
neutron: assignee |
Brian Haley (brian-haley) |
Slawek Kaplonski (slaweq) |
|
2019-03-11 15:49:19 |
Jeremy Stanley |
ossa: status |
Confirmed |
Triaged |
|
2019-03-11 15:49:26 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
2019-03-11 15:50:58 |
Jeremy Stanley |
tags |
|
ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-03-11 15:57:40 |
Doug Wiegley |
neutron: assignee |
Slawek Kaplonski (slaweq) |
Doug Wiegley (dougwig) |
|
2019-03-11 16:00:12 |
Magnus Bergman |
bug |
|
|
added subscriber Magnus Bergman |
2019-03-11 18:14:55 |
OpenStack Infra |
neutron: assignee |
Doug Wiegley (dougwig) |
Brian Haley (brian-haley) |
|
2019-03-12 18:43:36 |
OpenStack Infra |
tags |
ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-queens ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-03-13 01:22:39 |
Jeremy Stanley |
summary |
It's possible to add a security group rule for VRRP with a dport |
It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735) |
|
2019-03-13 15:42:57 |
OpenStack Infra |
tags |
in-stable-queens ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-queens in-stable-rocky ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-03-13 20:03:51 |
OpenStack Infra |
tags |
in-stable-queens in-stable-rocky ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-ocata in-stable-queens in-stable-rocky ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-03-15 10:08:05 |
Bernard Cafarelli |
tags |
in-stable-ocata in-stable-queens in-stable-rocky ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-ocata in-stable-queens in-stable-rocky neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-03-16 02:12:19 |
OpenStack Infra |
tags |
in-stable-ocata in-stable-queens in-stable-rocky neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-ocata in-stable-pike in-stable-queens in-stable-rocky neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-03-18 10:40:12 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Released |
|
2019-03-18 15:00:01 |
Jeremy Stanley |
summary |
It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735) |
[OSSA-2019-001] It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735) |
|
2019-03-18 15:00:10 |
Jeremy Stanley |
ossa: status |
Triaged |
Fix Committed |
|
2019-03-18 15:34:13 |
OpenStack Infra |
cve linked |
|
2019-9735 |
|
2019-03-18 15:51:48 |
Jeremy Stanley |
ossa: status |
Fix Committed |
Fix Released |
|
2019-03-18 16:52:10 |
Bernard Cafarelli |
tags |
in-stable-ocata in-stable-pike in-stable-queens in-stable-rocky neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-ocata in-stable-pike in-stable-queens in-stable-rocky ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-06-19 14:54:28 |
Bernard Cafarelli |
tags |
in-stable-ocata in-stable-pike in-stable-queens in-stable-rocky ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-ocata in-stable-pike in-stable-queens in-stable-rocky neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
|
2019-11-28 10:46:38 |
Bernard Cafarelli |
tags |
in-stable-ocata in-stable-pike in-stable-queens in-stable-rocky neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential |
in-stable-ocata in-stable-pike in-stable-queens in-stable-rocky |
|