Comment 15 for bug 1818385

Given a hotfix for this has merged on master now, I'm proposing an impact description for use in an upcoming OpenStack Security Advisory and associated CVE request. Please suggest improvements...

Title: Unsupported dport option prevents applying security groups
Reporter: Erik Olof Gunnar Andersson (Blizzard Entertainment)
Products: Neutron
Affects: <10.0.8, >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3

Erik Olof Gunnar Andersson with Blizzard Entertainment reported a vulnerability in Neutron's iptables firewall module. By setting a destination port in a security group rule along with a protocol which doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. Only deployments using the iptables security group driver are affected.