yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77291
[Bug 1818385] Re: It's possible to add a security group rule for VRRP with a dport
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Incomplete
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1818385
Title:
It's possible to add a security group rule for VRRP with a dport
Status in neutron:
In Progress
Status in OpenStack Security Advisory:
Incomplete
Bug description:
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute.
> unknown option "--dport"
I would have created this as a security vulnerability, but it's
already been mentioned on IRC.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1818385/+subscriptions
References