I have a question, is the iptables-restore issue will also prevent former rules from being re-applied or will it break at the
time the invalid rule is actually being applied ?
In such a case, the impact desc would need a note about that in case of a host reboot.
Impact description draft #1:
Title: Neutron security group DoS through invalid CIDR
Reporter: Stephen Ma (HP)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1 versions
Description:
Stephen Ma from Hewlett Packard reported a vulnerability in Neutron security group. By creating a security group rule with an invalid CIDR, an authenticated user may break openvswitch-agent process, preventing further rules from being applied on the host. Note: removal of the faulty rule is not enough, the openvswitch-agent must be restarted.
All Neutron setups are affected.
@Christoph Yes, here it is.
I have a question, is the iptables-restore issue will also prevent former rules from being re-applied or will it break at the
time the invalid rule is actually being applied ?
In such a case, the impact desc would need a note about that in case of a host reboot.
Impact description draft #1:
Title: Neutron security group DoS through invalid CIDR
Reporter: Stephen Ma (HP)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1 versions
Description:
Stephen Ma from Hewlett Packard reported a vulnerability in Neutron security group. By creating a security group rule with an invalid CIDR, an authenticated user may break openvswitch-agent process, preventing further rules from being applied on the host. Note: removal of the faulty rule is not enough, the openvswitch-agent must be restarted.
All Neutron setups are affected.