← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #41446

[Bug 1461054] Re: [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)

  Thread PreviousDate PreviousThread Next 
** Changed in: neutron/juno
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1461054

Title:
  [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2
  agent (CVE-2015-3221)

Status in neutron:
  Fix Released
Status in neutron juno series:
  Fix Released
Status in neutron kilo series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
  Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70

  This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
  But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.

  2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
  Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
  Exit code: 1
  Stdin:
  Stdout:
  Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid

  2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
  2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
  2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     ovs_restarted)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     port_info.get('updated', set()))
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.prepare_devices_filter(new_devices)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     *args, **kwargs)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     security_groups, security_group_member_ips)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.gen.next()
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.filter_defer_apply_off()
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.unfiltered_ports)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._setup_chain(port, INGRESS_DIRECTION)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._add_rules_by_security_group(port, DIRECTION)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._update_ipset_members(remote_sg_ids)
  2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
  vagrant@node1:~$
  vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     return f(*args, **kwargs)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._add_members_to_set(set_name, add_ips)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._add_member_to_set(set_name, ip)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self._apply(cmd)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent     self.execute(cmd_ns, run_as_root=True, process_input=input)
  2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent   File "/opt/stack/neutron/neutron/agent/linux/utils.py"

  Workaround:

  neutron port-update $PORT_ID --allowed_address_pairs list=true
  type=dict ip_address=0.0.0.0/1 ip_address=128.0.0.0/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1461054/+subscriptions
  Thread PreviousDate PreviousThread Next