[CVE-2016-9599] undercloud firewall opening all ports with ssl enabled

This also appears to affect newton, but not mitaka because the changes that caused this weren't made yet in mitaka.

This is my first attempt to fix the problem.

The diff seems wrong, it's
+ if $service_port {
+ $haproxy_ssl_firewall_rules = {
+ "100 ${name}_haproxy_ssl" => {
+ 'dport' => $public_ssl_port,
+ },
+ }
+ }

and it should be:

+ if $public_ssl_port {
+ $haproxy_ssl_firewall_rules = {
+ "100 ${name}_haproxy_ssl" => {
+ 'dport' => $public_ssl_port,
+ },
+ }
+ }

Juan, yes you're right, I had issues with Launchpad to update the second patch I prepared. Please review it again. Thanks!

Juan and I tested this new patch on the undercloud and it seems to work fine. We're now testing on the overcloud.

Fix proposed to branch: master
Review: https://review.openstack.org/414238

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/414239

Note that it appears our ci is not depending on this bug anymore, so we're free to fix it without blocking anything new.

Reviewed: https://review.openstack.org/414238
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=70c9dca45335150daae65d0bbf44908711b0f1d2
Submitter: Jenkins
Branch: master

commit 70c9dca45335150daae65d0bbf44908711b0f1d2
Author: Emilien Macchi <email address hidden>
Date: Wed Dec 21 15:10:52 2016 -0500

    [CVE-2016-9599] Enforce Firewall TCP / UDP rules management

    This closes CVE-2016-9599.

    1) Sanitize dynamic HAproxy endpoints firewall rules

    Build the hash of firewall rules only when a port is specified. The
    HAproxy endpoints are using TCP protocol, which means we have to specify
    a port to the IPtables rules.
    Some services don't have public network exposure (e.g. Glance Registry),
    which means they don't need haproxy_ssl rule.
    The code prepare the hash depending on the service_port and
    public_ssl_port parameters and create the actual firewall rules only if
    one of those or both parameters are specified.
    It will prevent new services without public exposure to open all traffic
    because no port is specified.

    2) Secure Firewall rules creations

    The code won't allow to create TCP / UDP IPtables rules in INPUT
    or OUTPUT chains without port or sport or dport, because doing it would
    allow an IPtables rule opening all traffic for TCP or UDP.
    If we try to do that, Puppet catalog will fail with an error explaining
    why.
    Example of use-cases:
    - creating VRRP rules wouldn't require port parameters.
    - creating TCP or UDP rules would require port parameters.

    3) Allow to open all traffic for TCO / UDP (when desired)

    Some use-cases require to open all traffic for all ports on TCP / UDP.
    It will be possible if the user gives port = 'all' when creating the
    firewall rule.

    Backward compatibility:
    - if our users created custom TCP / UDP firewall rules without port
      parameters, it won't work anymore, for security purpose.
    - if you users want to open TCP / UDP for all ports, they need to pass
      port = 'all' and the rule will be created, though a warning will be
      displayed because this is insecure.
    - if our users created custom VRRP rules without port parameters, it
      will still work correctly and rules will be created.
    - TCP / UDP rules in FORWARD chain without port are still accepted.

    Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
    Closes-Bug: #1651831

Reviewed: https://review.openstack.org/414239
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3be9575fb091582ec0666d57efc7e8158ae7c17e
Submitter: Jenkins
Branch: stable/newton

commit 3be9575fb091582ec0666d57efc7e8158ae7c17e
Author: Emilien Macchi <email address hidden>
Date: Wed Dec 21 15:10:52 2016 -0500

    [CVE-2016-9599] Enforce Firewall TCP / UDP rules management

    This closes CVE-2016-9599.

    1) Sanitize dynamic HAproxy endpoints firewall rules

    Build the hash of firewall rules only when a port is specified. The
    HAproxy endpoints are using TCP protocol, which means we have to specify
    a port to the IPtables rules.
    Some services don't have public network exposure (e.g. Glance Registry),
    which means they don't need haproxy_ssl rule.
    The code prepare the hash depending on the service_port and
    public_ssl_port parameters and create the actual firewall rules only if
    one of those or both parameters are specified.
    It will prevent new services without public exposure to open all traffic
    because no port is specified.

    2) Secure Firewall rules creations

    The code won't allow to create TCP / UDP IPtables rules in INPUT
    or OUTPUT chains without port or sport or dport, because doing it would
    allow an IPtables rule opening all traffic for TCP or UDP.
    If we try to do that, Puppet catalog will fail with an error explaining
    why.
    Example of use-cases:
    - creating VRRP rules wouldn't require port parameters.
    - creating TCP or UDP rules would require port parameters.

    3) Allow to open all traffic for TCO / UDP (when desired)

    Some use-cases require to open all traffic for all ports on TCP / UDP.
    It will be possible if the user gives port = 'all' when creating the
    firewall rule.

    Backward compatibility:
    - if our users created custom TCP / UDP firewall rules without port
      parameters, it won't work anymore, for security purpose.
    - if you users want to open TCP / UDP for all ports, they need to pass
      port = 'all' and the rule will be created, though a warning will be
      displayed because this is insecure.
    - if our users created custom VRRP rules without port parameters, it
      will still work correctly and rules will be created.
    - TCP / UDP rules in FORWARD chain without port are still accepted.

    Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
    Closes-Bug: #1651831
    (cherry picked from commit 2e0f82822942308594115c42fe82d078e5a4af45)

This issue was fixed in the openstack/puppet-tripleo 5.5.0 release.

This issue was fixed in the openstack/puppet-tripleo 6.2.0 release.