yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1837339] Re: CIDR's of the form 12.34.56.78/0 should be an error

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Haley <1837339@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jan 2023 20:36:06 -0000
Reply-to: Bug 1837339 <1837339@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Looks like this was fixed by a change in neutron to use a "normalized"
CIDR in the securityi group backends,
https://bugs.launchpad.net/neutron/+bug/1869129 has more details.

So I think we can mark the neutron portion here fixed.

** Changed in: neutron
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1837339

Title:
  CIDR's of the form 12.34.56.78/0 should be an error

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  The problem is that some users do not understand how CIDRs work, and
  incorrectly use /0 when they are trying to specify a single IP or a
  subnet in an Access Rule.  Unfortunately 12.34.56.78/0 means the same
  thing as 0.0.0.0/0.

  The proposed fix is to insist that /0 only be used with 0.0.0.0/0 and
  the IPv6 equivalent ::/0 when entering or updating Access Rule CIDRs
  in via the dashboard.

  I am labeling this as a security vulnerability since it leads to naive
  users creating instances with ports open to the world when they didn't
  intend to do that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1837339/+subscriptions