← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1336207] Re: [OSSA 2014-025] There is no quota for allowed address pair (CVE-2014-3555)

 

** Changed in: neutron/havana
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1336207

Title:
  [OSSA 2014-025] There is no quota for allowed address pair
  (CVE-2014-3555)

Status in OpenStack Neutron (virtual network service):
  Fix Released
Status in neutron havana series:
  Fix Released
Status in neutron icehouse series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Hi all,

  There is no quota for allowed address pair, user can create unlimited
  allowed address pair, in the backend, there will be at least 1
  iptables rule for one allowed address pair.  I tested if we use the
  attachment script to add about 10,000 allowed address pair. It will
  cost 30 sec to reflesh iptables rules in kernel...  I think that bad
  man can use this api to attack compute nodes. This will make the
  compute nodes crash or very slow only if we add enough allowed address
  pair rules...

  Thanks.
  Liping Mao

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1336207/+subscriptions