← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1300785] Re: [OSSA 2014-014] neutron allows security group rules with invalid cidrs, resulting in broken iptables rules (breaking iptables-restore) (CVE-2014-0187)

 

** Changed in: neutron/icehouse
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1300785

Title:
  [OSSA 2014-014] neutron allows security group rules with invalid
  cidrs, resulting in broken iptables rules (breaking iptables-restore)
  (CVE-2014-0187)

Status in neutron:
  Fix Released
Status in neutron havana series:
  Fix Committed
Status in neutron icehouse series:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  This bug is already reported in
  https://bugs.launchpad.net/neutron/+bug/1255338, but no security
  impact is discussed in that bug so far. We have been hitting the same
  issue in our cloud recently, and found that it is basically breaking
  quantum-plugin-openvswitch-agent / neutron-plugin-openvswitch-agent
  with errors like this:

  security group was created with:

  quantum security-group-rule-create default --direction egress
  --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-
  prefix /32

      ERROR [quantum.plugins.openvswitch.agent.ovs_quantum_agent] Error in agent event loop
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 700, in rpc_loop
        sync = self.process_network_ports(port_info)
      File "/usr/lib/python2.7/dist-packages/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 655, in process_network_ports
        resync_a = self.treat_devices_added(port_info['added'])
      File "/usr/lib/python2.7/dist-packages/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 601, in treat_devices_added
        self.sg_agent.prepare_devices_filter(devices)
      File "/usr/lib/python2.7/dist-packages/quantum/agent/securitygroups_rpc.py", line 114, in prepare_devices_filter
        self.firewall.prepare_port_filter(device)
      File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
        self.gen.next()
      File "/usr/lib/python2.7/dist-packages/quantum/agent/firewall.py", line 107, in defer_apply
        self.filter_defer_apply_off()
      File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/iptables_firewall.py", line 284, in filter_defer_apply_off
        self.iptables.defer_apply_off()
      File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/iptables_manager.py", line 304, in defer_apply_off
        self._apply()
      File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/lockutils.py", line 228, in inner
        retval = f(*args, **kwargs)
      File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/iptables_manager.py", line 340, in _apply
        root_helper=self.root_helper)
      File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/utils.py", line 61, in execute
        raise RuntimeError(m)
    RuntimeError: 
    Command: ['sudo', '/usr/bin/quantum-rootwrap', '/etc/quantum/rootwrap.conf', 'iptables-restore']
    Exit code: 2
    Stdout: ''
    Stderr: "iptables-restore v1.4.12: host/network `' not found\nError occurred at line: 391\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"

  Our operations team is telling me, that just removing the broken role
  didn't help, but "restart quantum-plugin-openvswitch-agent" was needed
  on all affected nodes.

  IMHO, this is an issue the vulnerability management team should
  consider. (We have been seeing this on stable/grizzly, but havana and
  upcoming icehouse are also affected.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1300785/+subscriptions