yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #22116
[Bug 1336207] Re: [OSSA 2014-025] There is no quota for allowed address pair (CVE-2014-3555)
** Changed in: neutron/havana
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1336207
Title:
[OSSA 2014-025] There is no quota for allowed address pair
(CVE-2014-3555)
Status in OpenStack Neutron (virtual network service):
Fix Released
Status in neutron havana series:
Fix Released
Status in neutron icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
Hi all,
There is no quota for allowed address pair, user can create unlimited
allowed address pair, in the backend, there will be at least 1
iptables rule for one allowed address pair. I tested if we use the
attachment script to add about 10,000 allowed address pair. It will
cost 30 sec to reflesh iptables rules in kernel... I think that bad
man can use this api to attack compute nodes. This will make the
compute nodes crash or very slow only if we add enough allowed address
pair rules...
Thanks.
Liping Mao
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1336207/+subscriptions