ovsfw ignores port_ranges under some conditions

Bug #1708580 reported by IWAMOTO Toshihiro on 2017-08-04
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Undecided
Unassigned
OpenStack Security Notes
Undecided
Unassigned
neutron
High
IWAMOTO Toshihiro

Bug Description

ovsfw ignores port_ranges when protocol is not literal udp or tcp.
sctp and numeric protocol values don't work and result in too permissive filtering.

Fix proposed to branch: master
Review: https://review.openstack.org/490753

Changed in neutron:
assignee: nobody → IWAMOTO Toshihiro (iwamoto)
status: New → In Progress
Changed in neutron:
importance: Undecided → High
Changed in neutron:
milestone: none → pike-rc2
information type: Public → Public Security

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Back in Mitaka, OVS was an experimental security groups driver. Is it deemed production ready in Newton ?

Changed in ossa:
status: New → Incomplete
IWAMOTO Toshihiro (iwamoto) wrote :

Not sure if this is a security advisory item.
If it is, bug/1708358 needs to be handled so, too.

Reviewed: https://review.openstack.org/490753
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=effa12889ba3393ec22d9a44e21cf00768643730
Submitter: Jenkins
Branch: master

commit effa12889ba3393ec22d9a44e21cf00768643730
Author: IWAMOTO Toshihiro <email address hidden>
Date: Fri Aug 4 15:20:08 2017 +0900

    ovsfw: Fix port_ranges handling

    ovsfw ignored port_ranges when a SG rule protocol was sctp or given
    in a number rather than a token. This commit fixes that.

    Change-Id: I6c810a152990246d42d98c3673c4b5ee126ebb4b
    Closes-bug: #1708580

Changed in neutron:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/501948
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6d43f2b1ad0f15992364cda3a0c691de5768dfd2
Submitter: Jenkins
Branch: stable/pike

commit 6d43f2b1ad0f15992364cda3a0c691de5768dfd2
Author: IWAMOTO Toshihiro <email address hidden>
Date: Fri Aug 4 15:20:08 2017 +0900

    ovsfw: Fix port_ranges handling

    ovsfw ignored port_ranges when a SG rule protocol was sctp or given
    in a number rather than a token. This commit fixes that.

    Change-Id: I6c810a152990246d42d98c3673c4b5ee126ebb4b
    Closes-bug: #1708580
    (cherry picked from commit effa12889ba3393ec22d9a44e21cf00768643730)

tags: added: in-stable-pike

This issue was fixed in the openstack/neutron 11.0.1 release.

This issue was fixed in the openstack/neutron 12.0.0.0b1 development milestone.

I suggest closing the OSSA task because of class D ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy )

IWAMOTO Toshihiro (iwamoto) wrote :

Is there a definition of a vulnerability?
There have been a couple of security groups OSSAs. To me, it is not clear what amounts to a OSSA or note.

IWAMOTO, I guess you could use this definition: https://cve.mitre.org/about/terminology.html#vulnerability

Then regarding the OSSA task, we don't issue advisories for experimental feature, and if I understand correctly, ovsfw is still experimental/incomplete. Thus if it's not a class D, then it is at best a class B3.

I have created an OSSN task to discuss the scope of this bug, perhaps it could use a security note.

IWAMOTO Toshihiro (iwamoto) wrote :

Hi Tristan,

I tend to think the ovsfw is experimental but the releasenote doesn't have any "experimental" wording.

Added the ovsfw author to the bug subscribers list.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers