OpenStack Security Notes

ovsfw ignores port_ranges under some conditions

Bug #1708580 reported by IWAMOTO Toshihiro on 2017-08-04

260

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
OpenStack Security Notes	New	Undecided	Unassigned
neutron	Fix Released	High	IWAMOTO Toshihiro	neutron pike-rc2 "p-rc2"

Bug Description

ovsfw ignores port_ranges when protocol is not literal udp or tcp.
sctp and numeric protocol values don't work and result in too permissive filtering.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-04: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/490753

Changed in neutron:
assignee:	nobody → IWAMOTO Toshihiro (iwamoto)
status:	New → In Progress

Jakub Libosvar (libosvar) on 2017-08-07

Changed in neutron:
importance:	Undecided → High

Jakub Libosvar (libosvar) on 2017-08-14

Changed in neutron:
milestone:	none → pike-rc2

Ihar Hrachyshka (ihar-hrachyshka) on 2017-08-22

information type:

Public → Public Security

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2017-08-23:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Back in Mitaka, OVS was an experimental security groups driver. Is it deemed production ready in Newton ?

Changed in ossa:
status:	New → Incomplete

Revision history for this message

IWAMOTO Toshihiro (iwamoto) wrote on 2017-08-23:

Not sure if this is a security advisory item.
If it is, bug/1708358 needs to be handled so, too.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-08: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/490753
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=effa12889ba3393ec22d9a44e21cf00768643730
Submitter: Jenkins
Branch: master

commit effa12889ba3393ec22d9a44e21cf00768643730
Author: IWAMOTO Toshihiro <email address hidden>
Date: Fri Aug 4 15:20:08 2017 +0900

ovsfw: Fix port_ranges handling

ovsfw ignored port_ranges when a SG rule protocol was sctp or given
in a number rather than a token. This commit fixes that.

Change-Id: I6c810a152990246d42d98c3673c4b5ee126ebb4b
Closes-bug: #1708580

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-08: Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/501948

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-09: Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/501948
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6d43f2b1ad0f15992364cda3a0c691de5768dfd2
Submitter: Jenkins
Branch: stable/pike

commit 6d43f2b1ad0f15992364cda3a0c691de5768dfd2
Author: IWAMOTO Toshihiro <email address hidden>
Date: Fri Aug 4 15:20:08 2017 +0900

ovsfw: Fix port_ranges handling

ovsfw ignored port_ranges when a SG rule protocol was sctp or given
in a number rather than a token. This commit fixes that.

    Change-Id: I6c810a152990246d42d98c3673c4b5ee126ebb4b
    Closes-bug: #1708580
    (cherry picked from commit effa12889ba3393ec22d9a44e21cf00768643730)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-25: Fix included in openstack/neutron 11.0.1

This issue was fixed in the openstack/neutron 11.0.1 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-25: Fix included in openstack/neutron 12.0.0.0b1

This issue was fixed in the openstack/neutron 12.0.0.0b1 development milestone.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2017-11-02:

I suggest closing the OSSA task because of class D ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy )

Revision history for this message

IWAMOTO Toshihiro (iwamoto) wrote on 2017-11-06:

#10

Is there a definition of a vulnerability?
There have been a couple of security groups OSSAs. To me, it is not clear what amounts to a OSSA or note.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2017-11-06:

#11

IWAMOTO, I guess you could use this definition: https://cve.mitre.org/about/terminology.html#vulnerability

Then regarding the OSSA task, we don't issue advisories for experimental feature, and if I understand correctly, ovsfw is still experimental/incomplete. Thus if it's not a class D, then it is at best a class B3.

I have created an OSSN task to discuss the scope of this bug, perhaps it could use a security note.

Revision history for this message

IWAMOTO Toshihiro (iwamoto) wrote on 2017-11-15:

#12

Hi Tristan,

I tend to think the ovsfw is experimental but the releasenote doesn't have any "experimental" wording.

Added the ovsfw author to the bug subscribers list.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2021-02-17:

#13

Fixes merged so long ago that no vulnerable branches are still supported, so I've marked our security advisory task Won't Fix indicating publication of any advisory at this point is highly unlikely.

Changed in ossa:
status:	Incomplete → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.