← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1818385] Re: It's possible to add a security group rule for VRRP with a dport

 

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1818385

Title:
  It's possible to add a security group rule for VRRP with a dport

Status in neutron:
  In Progress
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  This command should be invalid, but Neutron (Rocky) allows it to be created. 
  > openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112

  Since iptables does not allow dst-port being passed. It would trigger the following error on the compute.
  > unknown option "--dport"

  I would have created this as a security vulnerability, but it's
  already been mentioned on IRC.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1818385/+subscriptions


References