Bug 1269119 (CVE-2015-7713)

Summary: CVE-2015-7713 openstack-nova: network security group changes are not applied to running instances
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, ayoung, berrange, bfilippov, bleanhar, ccoleman, chrisw, dallan, dasmith, davidx, dmcphers, eglynn, gkotton, gmollett, itamar, jdetiber, jialiu, jjoyce, jkeck, jokerman, jonathansteffan, jose.castro.leon, jrusnack, jschluet, kbasil, kchamart, kseifried, lhh, lmeyer, lpeer, markmc, mburns, mlvov, mmagr, mmccomas, ndipanov, nova-maint, p, rbryant, rk, sbauza, sclewis, sferdjao, sgordon, slinaber, slong, tdecacqu, vladanovic, vromanso, weli, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A vulnerability was discovered in the way OpenStack Compute (nova) networking handled security group updates; changes were not applied to already running VM instances. A remote attacker could use this flaw to access running VM instances.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-11 00:30:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1269122, 1269123, 1272863, 1272864, 1272865, 1272866    
Bug Blocks: 1269121    

Description Martin Prpič 2015-10-06 11:47:48 UTC 
Title: Nova network security group changes are not applied to running instances

Reporter: Sreekumar S and Suntao
Products: Nova
Affects: <=2014.2.3, >=2015.1.0, <=2015.1.1

Description:

Sreekumar S and Suntao independently reported a vulnerability in Nova network. Security group changes silently fail to be applied to already running instances, potentially resulting in instances not being protected by the security group. All Nova network setups are affected.

References:

https://launchpad.net/bugs/1491307
https://launchpad.net/bugs/1484738
http://seclists.org/oss-sec/2015/q4/41
Comment 1 Martin Prpič 2015-10-06 11:50:21 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1269122]
Affects: fedora-all [bug 1269123]
Comment 3 Adam Mariš 2015-10-08 08:23:25 UTC 
Upstream patches:

https://review.openstack.org/222026 (Juno)
https://review.openstack.org/222023 (Kilo)
https://review.openstack.org/222022 (Liberty)
Comment 7 errata-xmlrpc 2015-12-21 17:06:28 UTC 
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2015:2673 https://access.redhat.com/errata/RHSA-2015:2673
Comment 8 errata-xmlrpc 2015-12-21 18:45:13 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:2684 https://rhn.redhat.com/errata/RHSA-2015-2684.html
Comment 9 errata-xmlrpc 2016-01-07 20:49:01 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0013 https://rhn.redhat.com/errata/RHSA-2016-0013.html
Comment 10 errata-xmlrpc 2016-01-10 23:20:39 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2016:0017 https://rhn.redhat.com/errata/RHSA-2016-0017.html