yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #38763
[Bug 1300785] Re: [OSSA 2014-014] neutron allows security group rules with invalid cidrs, resulting in broken iptables rules (breaking iptables-restore) (CVE-2014-0187)
** Changed in: neutron/icehouse
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1300785
Title:
[OSSA 2014-014] neutron allows security group rules with invalid
cidrs, resulting in broken iptables rules (breaking iptables-restore)
(CVE-2014-0187)
Status in neutron:
Fix Released
Status in neutron havana series:
Fix Committed
Status in neutron icehouse series:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
This bug is already reported in
https://bugs.launchpad.net/neutron/+bug/1255338, but no security
impact is discussed in that bug so far. We have been hitting the same
issue in our cloud recently, and found that it is basically breaking
quantum-plugin-openvswitch-agent / neutron-plugin-openvswitch-agent
with errors like this:
security group was created with:
quantum security-group-rule-create default --direction egress
--protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-
prefix /32
ERROR [quantum.plugins.openvswitch.agent.ovs_quantum_agent] Error in agent event loop
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 700, in rpc_loop
sync = self.process_network_ports(port_info)
File "/usr/lib/python2.7/dist-packages/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 655, in process_network_ports
resync_a = self.treat_devices_added(port_info['added'])
File "/usr/lib/python2.7/dist-packages/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 601, in treat_devices_added
self.sg_agent.prepare_devices_filter(devices)
File "/usr/lib/python2.7/dist-packages/quantum/agent/securitygroups_rpc.py", line 114, in prepare_devices_filter
self.firewall.prepare_port_filter(device)
File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
self.gen.next()
File "/usr/lib/python2.7/dist-packages/quantum/agent/firewall.py", line 107, in defer_apply
self.filter_defer_apply_off()
File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/iptables_firewall.py", line 284, in filter_defer_apply_off
self.iptables.defer_apply_off()
File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/iptables_manager.py", line 304, in defer_apply_off
self._apply()
File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/lockutils.py", line 228, in inner
retval = f(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/iptables_manager.py", line 340, in _apply
root_helper=self.root_helper)
File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/utils.py", line 61, in execute
raise RuntimeError(m)
RuntimeError:
Command: ['sudo', '/usr/bin/quantum-rootwrap', '/etc/quantum/rootwrap.conf', 'iptables-restore']
Exit code: 2
Stdout: ''
Stderr: "iptables-restore v1.4.12: host/network `' not found\nError occurred at line: 391\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
Our operations team is telling me, that just removing the broken role
didn't help, but "restart quantum-plugin-openvswitch-agent" was needed
on all affected nodes.
IMHO, this is an issue the vulnerability management team should
consider. (We have been seeing this on stable/grizzly, but havana and
upcoming icehouse are also affected.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1300785/+subscriptions
