yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1461054] Re: [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Thu, 02 Jul 2015 20:15:27 -0000
Reply-to: Bug 1461054 <1461054@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1461054

Title:
  [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2
  agent (CVE-2015-3221)

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in neutron juno series:
  Fix Committed
Status in neutron kilo series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
  Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70

  This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
  But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.

  2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
  Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
  Exit code: 1
  Stdin:
  Stdout:
  Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid

  2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
  2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
  2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     ovs_restarted)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     port_info.get('updated', set()))
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.prepare_devices_filter(new_devices)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     *args, **kwargs)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     security_groups, security_group_member_ips)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.gen.next()
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.filter_defer_apply_off()
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.unfiltered_ports)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._setup_chain(port, INGRESS_DIRECTION)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._add_rules_by_security_group(port, DIRECTION)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._update_ipset_members(remote_sg_ids)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
  vagrant@node1:~$
  vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     return f(*args, **kwargs)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._add_members_to_set(set_name, add_ips)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._add_member_to_set(set_name, ip)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._apply(cmd)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.execute(cmd_ns, run_as_root=True, process_input=input)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/utils.py"

  Workaround:

  neutron port-update $PORT_ID --allowed_address_pairs list=true
  type=dict ip_address=0.0.0.0/1 ip_address=128.0.0.0/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1461054/+subscriptions