yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1907491] Re: OVS conjunctive flows are not cleaned up after remote group member ips deleted

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1907491@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Dec 2020 14:07:34 -0000
Reply-to: Bug 1907491 <1907491@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks, given the circumstances with fixes already being discussed in
public and the low risk of this being directly exploited, I've gone
ahead and made the report public now and tagged it as security-related.
I've also set our coordinated advisory task to "won't fix" indicating
that I think there isn't an obvious need to publish a specific security
advisory about it, but am happy to revisit that decision if more
pressing exploit scenarios can be presented for it.

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

** Description changed:

- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2021-03-10 and will be made
- public by or on that date even if no fix is identified.
- 
  Running with the current Neutron master and OVS firewall agent in
  devstack all-in-one, when creating a security group rule with a remote-
  group for an active VM, the conjunctive flows that match the remote-
  group's member IPs are created. But when deleting the remote-group's
  member IPs(e.g: unset fixed-ips of the port associated with the remote-
  group), the deleted IP's conjunctive flows are not cleaned up in OVS.
  
  Detailed steps to reproduce in devstack:
  http://paste.openstack.org/show/800820/

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1907491

Title:
  OVS conjunctive flows are not cleaned up after remote group member ips
  deleted

Status in neutron:
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Running with the current Neutron master and OVS firewall agent in
  devstack all-in-one, when creating a security group rule with a
  remote-group for an active VM, the conjunctive flows that match the
  remote-group's member IPs are created. But when deleting the remote-
  group's member IPs(e.g: unset fixed-ips of the port associated with
  the remote-group), the deleted IP's conjunctive flows are not cleaned
  up in OVS.

  Detailed steps to reproduce in devstack:
  http://paste.openstack.org/show/800820/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1907491/+subscriptions