Activity log for bug #2030295

Date Who What changed Old value New value Message
2023-08-05 19:50:06 Dr. Jens Harbott bug added bug
2023-08-05 19:50:45 Dr. Jens Harbott tags ovn dns ovn
2023-08-07 00:49:42 Brian Haley bug added subscriber Brian Haley
2023-08-07 16:35:28 Jeremy Stanley description When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example: debian@vm1:~$ dig +tcp vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;vm1. IN A ;; AUTHORITY SECTION: . 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP) ;; WHEN: Sat Aug 05 19:44:16 UTC 2023 ;; MSG SIZE rcvd: 107 For comparison check the same query via UDP: debian@vm1:~$ dig +noedns vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575 ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;vm1. IN A ;; ANSWER SECTION: vm1. 3600 IN A 10.128.0.77 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Sat Aug 05 19:45:39 UTC 2023 ;; MSG SIZE rcvd: 40 (Note that the latter response does not actually come from the external server, but is spoofed by OVN.) Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example). This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. This embargo shall not extend past 2023-11-05 and will be made public by or on that date even if no fix is identified. When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example: debian@vm1:~$ dig +tcp vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;vm1. IN A ;; AUTHORITY SECTION: . 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP) ;; WHEN: Sat Aug 05 19:44:16 UTC 2023 ;; MSG SIZE rcvd: 107 For comparison check the same query via UDP: debian@vm1:~$ dig +noedns vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575 ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;vm1. IN A ;; ANSWER SECTION: vm1. 3600 IN A 10.128.0.77 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Sat Aug 05 19:45:39 UTC 2023 ;; MSG SIZE rcvd: 40 (Note that the latter response does not actually come from the external server, but is spoofed by OVN.) Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example).
2023-08-07 16:35:37 Jeremy Stanley bug task added ossa
2023-08-07 16:35:42 Jeremy Stanley ossa: status New Incomplete
2023-08-07 16:35:56 Jeremy Stanley bug added subscriber Neutron Core Security reviewers
2023-08-07 19:04:04 Jeremy Stanley description This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. This embargo shall not extend past 2023-11-05 and will be made public by or on that date even if no fix is identified. When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example: debian@vm1:~$ dig +tcp vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;vm1. IN A ;; AUTHORITY SECTION: . 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP) ;; WHEN: Sat Aug 05 19:44:16 UTC 2023 ;; MSG SIZE rcvd: 107 For comparison check the same query via UDP: debian@vm1:~$ dig +noedns vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575 ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;vm1. IN A ;; ANSWER SECTION: vm1. 3600 IN A 10.128.0.77 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Sat Aug 05 19:45:39 UTC 2023 ;; MSG SIZE rcvd: 40 (Note that the latter response does not actually come from the external server, but is spoofed by OVN.) Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example). When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example: debian@vm1:~$ dig +tcp vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;vm1. IN A ;; AUTHORITY SECTION: . 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP) ;; WHEN: Sat Aug 05 19:44:16 UTC 2023 ;; MSG SIZE rcvd: 107 For comparison check the same query via UDP: debian@vm1:~$ dig +noedns vm1 ; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575 ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;vm1. IN A ;; ANSWER SECTION: vm1. 3600 IN A 10.128.0.77 ;; Query time: 0 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Sat Aug 05 19:45:39 UTC 2023 ;; MSG SIZE rcvd: 40 (Note that the latter response does not actually come from the external server, but is spoofed by OVN.) Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example).
2023-08-07 19:04:14 Jeremy Stanley information type Private Security Public
2023-08-07 19:04:21 Jeremy Stanley ossa: status Incomplete Won't Fix
2023-08-07 19:04:31 Jeremy Stanley tags dns ovn dns ovn security