OpenStack Compute (nova)

Security groups are not sanity checked for incorrect data

Bug #869979 reported by Stanislaw Pitucha
278
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Stanislaw Pitucha
OpenStack Compute (nova) 2012.1 "essex"
Diablo
Fix Released
Undecided
Unassigned
OpenStack Compute (nova) 2011.3.1

Bug Description

When an user tries to add a new security group rule, it has a possibility of introducing incorrect entries to iptables.
For example port numbers outside of the allowed range will cause iptables to reject the whole batch of new rules. This stops not only new instance with that security rule attached, but also every other instance that would be created on that hosts, since all rules are loaded at the same time.

Revision history for this message
Stanislaw Pitucha (stanislaw-pitucha) wrote :

Fix proposed in https://review.openstack.org/815

Brian Lamar (blamar)
Changed in nova:
assignee: nobody → Stanislaw Pitucha (stanislaw-pitucha)
status: New → In Progress
Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → High
security vulnerability: no → yes
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/815
Committed: http://github.com/openstack/nova/commit/1a12349c056b52b488591abb1671ad94a6db6526
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit 1a12349c056b52b488591abb1671ad94a6db6526
Author: Ahmad Hassan <email address hidden>
Date: Fri Sep 30 15:10:33 2011 +0100

    Verify security group parameters

    Introduced various sanity checks before adding security group rule
    into the database. The checks have been implemented both in EC2 and
    openstack extension code.
    Implemented the suggestions made in first patch by Brian
    Fixed the unit tests in security groups
    Fixed pep8 issues in security group unit tests

    Fixes bug 869979.

    Change-Id: I2ac28666e90e7bdeacb7b1c2676c0719cfb9e441

Changed in nova:
status: In Progress → Fix Committed
Chuck Short (zulcss)
tags: added: ec2
Thierry Carrez (ttx)
Changed in nova:
milestone: none → essex-1
status: Fix Committed → Fix Released
tags: added: diablo-backport
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/diablo)

Reviewed: https://review.openstack.org/2179
Committed: http://github.com/openstack/nova/commit/bcf241259246179035f20649f947b99b21d7978a
Submitter: Jenkins
Branch: stable/diablo

commit bcf241259246179035f20649f947b99b21d7978a
Author: Ahmad Hassan <email address hidden>
Date: Fri Sep 30 15:10:33 2011 +0100

    Verify security group parameters

    Introduced various sanity checks before adding security group rule
    into the database. The checks have been implemented both in EC2 and
    openstack extension code.
    Implemented the suggestions made in first patch by Brian
    Fixed the unit tests in security groups
    Fixed pep8 issues in security group unit tests

    Fixes bug 869979.

    (cherry picked from commit 1a12349c056b52b488591abb1671ad94a6db6526)

    Change-Id: I2ac28666e90e7bdeacb7b1c2676c0719cfb9e441

tags: added: in-stable-diablo
Thierry Carrez (ttx)
Changed in nova:
milestone: essex-1 → 2012.1
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.