yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77552
[Bug 1818385] Re: It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735)
Reviewed: https://review.openstack.org/642145
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4350ed3c3556388eaa7f8623ed05b5adc86e9c16
Submitter: Zuul
Branch: master
commit 4350ed3c3556388eaa7f8623ed05b5adc86e9c16
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date: Fri Mar 8 15:24:24 2019 -0500
Better handle ports in security groups
After taking a closer look at bug 1818385, I found a couple
of follow-on things to fix in the security group code.
First, there are very few protocols that accept ports,
especially via iptables. For this reason I think it's
acceptable that the API rejects them as invalid.
Second, UDPlite has some interesting support in iptables. It
does not support using --dport directly, but does using
'-m multiport --dports 123', and also supports port ranges using
'-m multiport --dports 123:124'. Added code for this special
case.
Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4
Closes-Bug: #1818385
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1818385
Title:
It's possible to add a security group rule for VRRP with a dport
(CVE-2019-9735)
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Triaged
Bug description:
This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112
Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules.
> unknown option "--dport"
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1818385/+subscriptions
References