OpenStack Compute (Nova)

Security groups are not sanity checked for incorrect data

Reported by Stanislaw Pitucha on 2011-10-07
278
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Stanislaw Pitucha
Diablo
Undecided
Unassigned

Bug Description

When an user tries to add a new security group rule, it has a possibility of introducing incorrect entries to iptables.
For example port numbers outside of the allowed range will cause iptables to reject the whole batch of new rules. This stops not only new instance with that security rule attached, but also every other instance that would be created on that hosts, since all rules are loaded at the same time.

Brian Lamar (blamar) on 2011-10-07
Changed in nova:
assignee: nobody → Stanislaw Pitucha (stanislaw-pitucha)
status: New → In Progress
Thierry Carrez (ttx) on 2011-10-21
Changed in nova:
importance: Undecided → High
security vulnerability: no → yes

Reviewed: https://review.openstack.org/815
Committed: http://github.com/openstack/nova/commit/1a12349c056b52b488591abb1671ad94a6db6526
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit 1a12349c056b52b488591abb1671ad94a6db6526
Author: Ahmad Hassan <email address hidden>
Date: Fri Sep 30 15:10:33 2011 +0100

    Verify security group parameters

    Introduced various sanity checks before adding security group rule
    into the database. The checks have been implemented both in EC2 and
    openstack extension code.
    Implemented the suggestions made in first patch by Brian
    Fixed the unit tests in security groups
    Fixed pep8 issues in security group unit tests

    Fixes bug 869979.

    Change-Id: I2ac28666e90e7bdeacb7b1c2676c0719cfb9e441

Changed in nova:
status: In Progress → Fix Committed
Chuck Short (zulcss) on 2011-11-21
tags: added: ec2
Thierry Carrez (ttx) on 2011-11-25
Changed in nova:
milestone: none → essex-1
status: Fix Committed → Fix Released
tags: added: diablo-backport

Reviewed: https://review.openstack.org/2179
Committed: http://github.com/openstack/nova/commit/bcf241259246179035f20649f947b99b21d7978a
Submitter: Jenkins
Branch: stable/diablo

commit bcf241259246179035f20649f947b99b21d7978a
Author: Ahmad Hassan <email address hidden>
Date: Fri Sep 30 15:10:33 2011 +0100

    Verify security group parameters

    Introduced various sanity checks before adding security group rule
    into the database. The checks have been implemented both in EC2 and
    openstack extension code.
    Implemented the suggestions made in first patch by Brian
    Fixed the unit tests in security groups
    Fixed pep8 issues in security group unit tests

    Fixes bug 869979.

    (cherry picked from commit 1a12349c056b52b488591abb1671ad94a6db6526)

    Change-Id: I2ac28666e90e7bdeacb7b1c2676c0719cfb9e441

tags: added: in-stable-diablo
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-1 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers