tripleo

Comment 11 for bug 1651831

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-22: Fix merged to puppet-tripleo (stable/newton)

#11

Reviewed: https://review.openstack.org/414239
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3be9575fb091582ec0666d57efc7e8158ae7c17e
Submitter: Jenkins
Branch: stable/newton

commit 3be9575fb091582ec0666d57efc7e8158ae7c17e
Author: Emilien Macchi <email address hidden>
Date: Wed Dec 21 15:10:52 2016 -0500

[CVE-2016-9599] Enforce Firewall TCP / UDP rules management

This closes CVE-2016-9599.

1) Sanitize dynamic HAproxy endpoints firewall rules

    Build the hash of firewall rules only when a port is specified. The
    HAproxy endpoints are using TCP protocol, which means we have to specify
    a port to the IPtables rules.
    Some services don't have public network exposure (e.g. Glance Registry),
    which means they don't need haproxy_ssl rule.
    The code prepare the hash depending on the service_port and
    public_ssl_port parameters and create the actual firewall rules only if
    one of those or both parameters are specified.
    It will prevent new services without public exposure to open all traffic
    because no port is specified.

2) Secure Firewall rules creations

    The code won't allow to create TCP / UDP IPtables rules in INPUT
    or OUTPUT chains without port or sport or dport, because doing it would
    allow an IPtables rule opening all traffic for TCP or UDP.
    If we try to do that, Puppet catalog will fail with an error explaining
    why.
    Example of use-cases:
    - creating VRRP rules wouldn't require port parameters.
    - creating TCP or UDP rules would require port parameters.

3) Allow to open all traffic for TCO / UDP (when desired)

    Some use-cases require to open all traffic for all ports on TCP / UDP.
    It will be possible if the user gives port = 'all' when creating the
    firewall rule.

    Backward compatibility:
    - if our users created custom TCP / UDP firewall rules without port
      parameters, it won't work anymore, for security purpose.
    - if you users want to open TCP / UDP for all ports, they need to pass
      port = 'all' and the rule will be created, though a warning will be
      displayed because this is insecure.
    - if our users created custom VRRP rules without port parameters, it
      will still work correctly and rules will be created.
    - TCP / UDP rules in FORWARD chain without port are still accepted.

    Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
    Closes-Bug: #1651831
    (cherry picked from commit 2e0f82822942308594115c42fe82d078e5a4af45)

Reviewed:  https://review.openstack.org/414239
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3be9575fb091582ec0666d57efc7e8158ae7c17e
Submitter: Jenkins
Branch:    stable/newton

commit 3be9575fb091582ec0666d57efc7e8158ae7c17e
Author: Emilien Macchi <emilien@redhat.com>
Date:   Wed Dec 21 15:10:52 2016 -0500

[CVE-2016-9599] Enforce Firewall TCP / UDP rules management
    
    This closes CVE-2016-9599.
    
    1) Sanitize dynamic HAproxy endpoints firewall rules
    
    Build the hash of firewall rules only when a port is specified. The
    HAproxy endpoints are using TCP protocol, which means we have to specify
    a port to the IPtables rules.
    Some services don't have public network exposure (e.g. Glance Registry),
    which means they don't need haproxy_ssl rule.
    The code prepare the hash depending on the service_port and
    public_ssl_port parameters and create the actual firewall rules only if
    one of those or both parameters are specified.
    It will prevent new services without public exposure to open all traffic
    because no port is specified.
    
    2) Secure Firewall rules creations
    
    The code won't allow to create TCP / UDP IPtables rules in INPUT
    or OUTPUT chains without port or sport or dport, because doing it would
    allow an IPtables rule opening all traffic for TCP or UDP.
    If we try to do that, Puppet catalog will fail with an error explaining
    why.
    Example of use-cases:
    - creating VRRP rules wouldn't require port parameters.
    - creating TCP or UDP rules would require port parameters.
    
    3) Allow to open all traffic for TCO / UDP (when desired)
    
    Some use-cases require to open all traffic for all ports on TCP / UDP.
    It will be possible if the user gives port = 'all' when creating the
    firewall rule.
    
    Backward compatibility:
    - if our users created custom TCP / UDP firewall rules without port
      parameters, it won't work anymore, for security purpose.
    - if you users want to open TCP / UDP for all ports, they need to pass
      port = 'all' and the rule will be created, though a warning will be
      displayed because this is insecure.
    - if our users created custom VRRP rules without port parameters, it
      will still work correctly and rules will be created.
    - TCP / UDP rules in FORWARD chain without port are still accepted.
    
    Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
    Closes-Bug: #1651831
    (cherry picked from commit 2e0f82822942308594115c42fe82d078e5a4af45)