Source group based security group rule without protocol and port causes failures

Bug #1010514 reported by Soren Hansen on 2012-06-08
276
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Soren Hansen
Essex
Undecided
Thierry Carrez
nova (Ubuntu)
Undecided
Unassigned
Oneiric
Undecided
Steve Beattie
Precise
Undecided
Steve Beattie

Bug Description

I saw this on Essex, but looking at Folsom, this problem exists there, too.

If you add a security group rule granting security group A full access (no protocol and port specifications) to any instance in security group B, you will see an error like:

2012-06-08 14:52:37 TRACE nova.rpc.amqp Traceback (most recent call last):
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/rpc/amqp.py", line 252, in _process_data
2012-06-08 14:52:37 TRACE nova.rpc.amqp rval = node_func(context=ctxt, **node_args)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/exception.py", line 114, in wrapped
2012-06-08 14:52:37 TRACE nova.rpc.amqp return f(*args, **kw)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/compute/manager.py", line 288, in refresh_security_group_rules
2012-06-08 14:52:37 TRACE nova.rpc.amqp return self.driver.refresh_security_group_rules(security_group_id)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/connection.py", line 1871, in refresh_security_group_rules
2012-06-08 14:52:37 TRACE nova.rpc.amqp self.firewall_driver.refresh_security_group_rules(security_group_id)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/virt/firewall.py", line 356, in refresh_security_group_rules
2012-06-08 14:52:37 TRACE nova.rpc.amqp self.do_refresh_security_group_rules(security_group)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/utils.py", line 943, in inner
2012-06-08 14:52:37 TRACE nova.rpc.amqp retval = f(*args, **kwargs)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/virt/firewall.py", line 363, in do_refresh_security_group_rules
2012-06-08 14:52:37 TRACE nova.rpc.amqp self.add_filters_for_instance(instance)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/virt/firewall.py", line 178, in add_filters_for_instance
2012-06-08 14:52:37 TRACE nova.rpc.amqp ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info)
2012-06-08 14:52:37 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/virt/firewall.py", line 303, in instance_rules
2012-06-08 14:52:37 TRACE nova.rpc.amqp protocol = rule.protocol.lower()
2012-06-08 14:52:37 TRACE nova.rpc.amqp AttributeError: 'NoneType' object has no attribute 'lower'

..thus rendering further processing impossible.

CVE References

Changed in nova:
importance: Undecided → Medium
Russell Bryant (russellb) wrote :

Sounds like this is a bug in the patch for this bug: https://bugs.launchpad.net/nova/+bug/985184

Since an advisory went out for that, we should probably just commit the fix directly, and then post a follow-up to the security advisory to the mailing list indicating that the original patch was not sufficient.

Changed in nova:
status: New → Triaged
importance: Medium → High
Russell Bryant (russellb) wrote :

I'm going to open this up since it's related to another issue that's already public.

visibility: private → public
Changed in nova:
milestone: none → folsom-2
Russell Bryant (russellb) wrote :

This likely affects trunk, essex, and diablo.

Changed in nova:
assignee: nobody → Vish Ishaya (vishvananda)

Fix proposed to branch: master
Review: https://review.openstack.org/8382

Changed in nova:
status: Triaged → In Progress
Thierry Carrez (ttx) on 2012-06-11
no longer affects: nova/folsom

Fix proposed to branch: master
Review: https://review.openstack.org/8387

Changed in nova:
assignee: Vish Ishaya (vishvananda) → Soren Hansen (soren)

Reviewed: https://review.openstack.org/8387
Committed: http://github.com/openstack/nova/commit/bbdf82c5ec3e31a5dc43948291c4f37ce1098714
Submitter: Jenkins
Branch: master

commit bbdf82c5ec3e31a5dc43948291c4f37ce1098714
Author: Soren Hansen <email address hidden>
Date: Mon Jun 11 09:23:33 2012 +0200

    Only invoke .lower() on non-None protocols

    When using source group based security group rules (rather than CIDR
    based ones), it's permissible to not set a protocol and port. However,
    Nova would always try to convert the protocol to lower case, which would
    fail if the protocol wasn't set.

    Fixes bug 1010514

    Change-Id: I9b1519a52ececd16a497acebfe022508cbe96126

Changed in nova:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/8392
Committed: http://github.com/openstack/nova/commit/3ee026e4252cd4140b50675e857695b195ab5065
Submitter: Jenkins
Branch: stable/essex

commit 3ee026e4252cd4140b50675e857695b195ab5065
Author: Soren Hansen <email address hidden>
Date: Mon Jun 11 09:23:33 2012 +0200

    Only invoke .lower() on non-None protocols

    When using source group based security group rules (rather than CIDR
    based ones), it's permissible to not set a protocol and port. However,
    Nova would always try to convert the protocol to lower case, which would
    fail if the protocol wasn't set.

    Fixes bug 1010514

    Change-Id: I9b1519a52ececd16a497acebfe022508cbe96126

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nova (Ubuntu):
status: New → Confirmed
Steve Beattie (sbeattie) on 2012-06-12
Changed in nova (Ubuntu Oneiric):
status: New → In Progress
Changed in nova (Ubuntu Precise):
status: New → In Progress
Changed in nova (Ubuntu Oneiric):
assignee: nobody → Steve Beattie (sbeattie)
Changed in nova (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1-0ubuntu2.3

---------------
nova (2012.1-0ubuntu2.3) precise-security; urgency=low

  * REGRESSION FIX: security group without protocol set failure (LP: #1010514)
    - debian/patches/CVE-2012-2654-regression.patch: only call .lower()
      when a protocol has been set.
 -- Steve Beattie <email address hidden> Mon, 11 Jun 2012 16:00:50 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2011.3-0ubuntu6.8

---------------
nova (2011.3-0ubuntu6.8) oneiric-security; urgency=low

  * REGRESSION FIX: security group without protocol set failure (LP: #1010514)
    - debian/patches/CVE-2012-2654-regression.patch: only call .lower()
      when a protocol has been set.
 -- Steve Beattie <email address hidden> Mon, 11 Jun 2012 16:20:19 -0700

Changed in nova (Ubuntu Oneiric):
status: In Progress → Fix Released
Changed in nova (Ubuntu Precise):
status: In Progress → Fix Released
Thierry Carrez (ttx) wrote :

stable/diablo under review @ https://review.openstack.org/#/c/8239/

Hello Soren, or anyone else affected,

Accepted nova into precise-proposed. The package will build now and be available in a few hours. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Mike Lundy (novas0x2a) wrote :

This security bug was made public before a fix landed in diablo. A fix still has not landed in diablo almost a month later. Can we please try to maintain discipline regarding the security policy? There's really no point in having an embargo if you're just going to ignore it.

Thierry Carrez (ttx) wrote :

@Mike: the security advisory pointed at the patch you can apply to Diablo to fix this issue. The stable/diablo branch is maintained by a subgroup of people interested in maintaining that stable branch, we can't wait for them to formally accept the patch in the branch before releasing the advisory and ending the embargo, which by nature is limited.

That said, I pinged them again so that they would approve it :)

Adam Gandelman (gandelman-a) wrote :

Please find the attached Jenkins job results from the Ubuntu Server Team's CI
infrastructure. As part of the verification process for this bug, Nova has
been deployed and configured across multiple nodes using precise-proposed as
an installation source. After successful bring-up and configuration of the
cluster, a number of exercises and smoke tests have be invoked to ensure the
updated package did not introduce any regressions. A number of test iterations
were carried out to catch any possible transient errors.

Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the
Jenkins links in the comments of the relevant upstream code-review:

https://review.openstack.org/8392

As per the provisional Micro Release Exception granted to this package by
the Technical Board, we hope this contributes toward verification of this
update.

Dave Walker (davewalker) on 2012-07-03
tags: added: verification-done
removed: verification-needed
Thierry Carrez (ttx) on 2012-07-04
Changed in nova:
status: Fix Committed → Fix Released
Chuck Short (zulcss) on 2012-07-31
Changed in nova (Ubuntu):
status: Confirmed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Thierry Carrez (ttx) on 2012-09-27
Changed in nova:
milestone: folsom-2 → 2012.2
Sean Dague (sdague) on 2014-09-15
no longer affects: nova/diablo
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers