Security groups fail to be set correctly if incorrect case is used for protocol specification
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
Medium
|
Russell Bryant | ||
| Essex |
Fix Released
|
Medium
|
Russell Bryant | ||
| nova (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
The high level issue is that if a security group rule is specified with the protocol in uppercase (e.g. TCP instead of tcp) on a system using the IpTablesFirewal
The detail of the issue is as follows (Described from the OSAPI perspective, but the problem also exists on EC2)
When a security group rule is specified with the protocol in upper case it is validated (contrig/
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
…
values[
When the security group refresh is triggered (virt/firewall.py – instance_rules() the protocol check is case sensitive:
if protocol in ['udp', 'tcp']:
if rule.cidr:
Because the protocol doesn’t match ‘udp’ or ‘tcp’ the protocol part of the rule is skipped, leading to an incomplete and invalid iptables command line.
Related branches
- Chuck Short: Pending requested
-
Diff: 56 lines (+14/-4)3 files modifieddebian/changelog (+8/-0)
debian/control (+6/-3)
debian/nova-console.install (+0/-1)
CVE References
| Changed in nova: | |
| importance: | Undecided → High |
| status: | New → Triaged |
| Changed in nova: | |
| importance: | High → Medium |
| visibility: | private → public |
| Changed in nova: | |
| status: | Fix Committed → Fix Released |
| Changed in nova (Ubuntu): | |
| status: | New → Fix Released |
| Changed in nova (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in nova: | |
| milestone: | folsom-2 → 2012.2 |
| no longer affects: | nova/diablo |

@all I suggest that this is a "Normal" level security bug as per: http:// wiki.openstack. org/Vulnerabili tyManagement
Looks like it should be an easy fix, thoughts?