Bug 1949188 (CVE-2021-3499)

Summary: CVE-2021-3499 openshift/ovn-kubernetes: Egress Firewall does not reliably apply firewall rules
Product: [Other] Security Response Reporter: Przemyslaw Roguski <proguski>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bbennett, bmontgom, eparis, jburrell, jokerman, nstielau, security-response-team, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OVN Kubernetes where the Egress Firewall does not reliably apply firewall rules when there is multiple dns rules. It could lead to potentially lose of confidentiality, integrity or availability of a service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:52:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1947917, 1949529, 1949530, 1987187    
Bug Blocks: 1948664, 1949494    

Description Przemyslaw Roguski 2021-04-13 16:59:08 UTC 
It was found that Egress Firewall in OVN-Kubernetes does not reliably apply firewall rules when there is multiple dns rules.
When adding EgressFirewalls with 5 or so dnsNames it is probable that a deadlock will occur.
It could lead to the situation that effective firewall rules are different than it could be expected.
Comment 1 Przemyslaw Roguski 2021-04-13 16:59:11 UTC 
Acknowledgments:

Name: Michael Swenson (Red Hat)
Comment 2 Przemyslaw Roguski 2021-04-13 17:10:04 UTC 
Statement:

In OpenShift Container Platform 4 the default Container Network Interface (CNI) network provider plug-in is OpenShift SDN, and it's not affected by this flaw. Only the OVN-Kubernetes CNI network provider is affected.
Comment 5 Przemyslaw Roguski 2021-04-14 19:38:06 UTC 
upstream PR:
https://github.com/ovn-org/ovn-kubernetes/pull/2169
Comment 6 Mark Cooper 2021-06-24 02:14:40 UTC 
Used fixcvename on RHBA-2021:1550

This was fixed in 4.7.10 but only shipped in 4.7.11 with container ose-ovn-kubernetes-container-v4.7.0-202105071917.p0