yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: neutron
       Status: Fix Committed => Fix Released

** Changed in: neutron
    Milestone: None => kilo-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1399172

Title:
  [OSSA 2015-001] L3 agent DoS vulnerability (CVE-2014-8153)

Status in OpenStack Neutron (virtual network service):
  Fix Released
Status in neutron icehouse series:
  Invalid
Status in neutron juno series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Reported by Ihar Hrachyshka via email:

  we've found a bug [1] in Openstack Neutron Juno (2014.2) release that
  (it seems) may be utilized to make Neutron L3 agent non-functional
  during the following scenario (initially reported in downstream as [2]):

  - a tenant (user) creates 8 routers;
  - for each router, a tenant assigns a ipv6 non-provider subnet.

  => L3 agent limits the number of threads that process updates to
  router state to 8 [3]. Since the bug makes the thread lock if the
  release is used with radvd 2.0+, it's enough to have those 8 failing
  routers to completely block any kind of router updates processing for
  all tenants.

  The vulnerability is limited to setups that run on top of radvd 2.0+.
  There are few distributions that currently ship radvd 2.0+,
  so the scope of the vulnerability is not very wide (in Red Hat world,
  it's mostly Fedora Rawhide).

  The bug in question is public, though I haven't raised its potential
  security status in any public or private communications before.

  [1]: https://launchpad.net/bugs/1398779
  [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1169408
  [3]: https://github.com/openstack/neutron/blob/master/neutron/agent/l3_agent.py#L1831

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1399172/+subscriptions