| 2024-03-17 14:47:02 |
Robert Breker |
bug |
|
|
added bug |
| 2024-03-17 14:49:41 |
Robert Breker |
attachment added |
|
Enhance-IptablesFirewallDriver-with-remote-address-g.patch https://bugs.launchpad.net/neutron/+bug/2058138/+attachment/5756536/+files/Enhance-IptablesFirewallDriver-with-remote-address-g.patch |
|
| 2024-03-17 14:50:16 |
Robert Breker |
description |
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
Al OpenStack versions with remote address group support are impacted. We noticed it on 2023.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2023.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
|
| 2024-03-17 17:31:56 |
Brian Haley |
bug |
|
|
added subscriber Brian Haley |
| 2024-03-17 19:38:32 |
Robert Breker |
description |
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2023.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
|
| 2024-03-18 13:27:55 |
Lajos Katona |
tags |
|
sg-fw |
|
| 2024-03-18 14:22:58 |
Jeremy Stanley |
description |
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2024-06-16 and will be made
public by or on that date even if no fix is identified.
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
|
| 2024-03-18 14:23:12 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2024-03-18 14:23:19 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2024-03-18 14:23:52 |
Jeremy Stanley |
bug |
|
|
added subscriber Neutron Core Security reviewers |
| 2024-03-19 11:16:07 |
Robert Breker |
attachment added |
|
Enhance-IptablesFirewallDriver-with-remote-address-g-v2.patch https://bugs.launchpad.net/neutron/+bug/2058138/+attachment/5757171/+files/Enhance-IptablesFirewallDriver-with-remote-address-g-v2.patch |
|
| 2024-03-19 16:23:33 |
Lajos Katona |
neutron: importance |
Undecided |
High |
|
| 2024-03-19 16:40:23 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2024-06-16 and will be made
public by or on that date even if no fix is identified.
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.
[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html |
|
| 2024-03-19 16:40:31 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
| 2024-03-19 18:03:09 |
OpenStack Infra |
neutron: status |
New |
In Progress |
|
| 2024-03-20 19:30:13 |
Robert Breker |
neutron: assignee |
|
Robert Breker (rbreker) |
|
| 2024-03-21 10:08:19 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Released |
|
| 2024-03-29 23:02:09 |
OpenStack Infra |
tags |
sg-fw |
in-stable-zed sg-fw |
|
