[CVE-2016-9599] undercloud firewall opening all ports with ssl enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
Emilien Macchi | ||
Newton |
Fix Released
|
Critical
|
Emilien Macchi |
Bug Description
Example of a simple telnet session to the undercloud on a port that should not be open:
[root@overcloud
Trying 9.1.1.1...
Connected to 9.1.1.1.
Escape character is '^]'.
hello
[root@undercloud centos]# nc -k -l -p 12010
hello
The cause appears to be an error in the undercloud ssl puppet config where it is adding accept rules without a port specified, so it's allowing traffic on all ports. Ironically, an undercloud without ssl does not have this problem.
There are several incorrect rules, but here's one example:
-A INPUT -p tcp -m comment --comment "100 glance_
One more complication with this - right now our CI is relying on this bug to function. We'll need to figure out which port is being blocked and breaking our gearman communication as part of fixing this.
CVE References
Changed in tripleo: | |
assignee: | Ben Nemec (bnemec) → Emilien Macchi (emilienm) |
information type: | Private Security → Public Security |
summary: |
- undercloud firewall opening all ports with ssl enabled + [CVE-2016-9599] undercloud firewall opening all ports with ssl enabled |
Changed in tripleo: | |
importance: | High → Critical |
This also appears to affect newton, but not mitaka because the changes that caused this weren't made yet in mitaka.