[OSSA 2014-014] neutron allows security group rules with invalid cidrs, resulting in broken iptables rules (breaking iptables-restore) (CVE-2014-0187)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray | ||
neutron |
Fix Released
|
Undecided
|
Aaron Rosen | ||
Havana |
Fix Released
|
Undecided
|
Unassigned | ||
Icehouse |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This bug is already reported in https:/
security group was created with:
quantum security-
ERROR [quantum.
Traceback (most recent call last):
File "/usr/lib/
sync = self.process_
File "/usr/lib/
resync_a = self.treat_
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
self._apply()
File "/usr/lib/
retval = f(*args, **kwargs)
File "/usr/lib/
root_
File "/usr/lib/
raise RuntimeError(m)
RuntimeError:
Command: ['sudo', '/usr/bin/
Exit code: 2
Stdout: ''
Stderr: "iptables-restore v1.4.12: host/network `' not found\nError occurred at line: 391\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
Our operations team is telling me, that just removing the broken role didn't help, but "restart quantum-
IMHO, this is an issue the vulnerability management team should consider. (We have been seeing this on stable/grizzly, but havana and upcoming icehouse are also affected.)
CVE References
Changed in ossa: | |
status: | New → Incomplete |
summary: |
neutron allows security group rules with invalid cidrs, resulting in - broken iptables rules (breaking iptables-restore) + broken iptables rules (breaking iptables-restore) (CVE-2014-0187) |
Changed in ossa: | |
status: | Confirmed → In Progress |
summary: |
- neutron allows security group rules with invalid cidrs, resulting in - broken iptables rules (breaking iptables-restore) (CVE-2014-0187) + [OSSA 2014-014] neutron allows security group rules with invalid cidrs, + resulting in broken iptables rules (breaking iptables-restore) + (CVE-2014-0187) |
information type: | Private Security → Public Security |
Changed in ossa: | |
status: | In Progress → Fix Committed |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | none → juno-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-1 → 2014.2 |
I think that's a valid DoS vector, due to its efficiency.
Not the first time an invalid iptables rule can be passed and wreck things -- maybe they should consider testing them in a sandbox before applying them, rather than try to sanitize them and then apply them blindly...