Bug 1409687 (CVE-2016-9599)

Summary: CVE-2016-9599 puppet-tripleo: if ssl is enabled, traffic is open on both undercloud and overcloud
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, jjoyce, jschluet, kbasil, lars, lhh, lpeer, markmc, rbryant, rhos-maint, sclewis, slinaber, sparks, srevivo, tdecacqu, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puppet-tripleo 5.5.0, puppet-tripleo 6.2.0 Doc Type: If docs needed, set a value
Doc Text:
An access-control flaw was discovered in puppet-tripleo's IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. Some API services in Red Hat OpenStack Platform director are not exposed to public networks, which meant their $public_ssl_port value was set to empty (for example, openstack-glance, which is deployed by default on both undercloud and overcloud). If SSL was enabled, a malicious user could use these open ports to gain access to unauthorized resources.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-22 02:57:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1409688, 1409689, 1409690, 1409798    
Bug Blocks: 1408133    

Description Summer Long 2017-01-03 02:03:32 UTC
Puppet IPtables rules management allows the creation of TCP / UDP rules with empty port value.Some API services in Director are not exposed to public networks,
which means $public_ssl_port are empty for some services (for example, 
Glance, which is deployed by default on both undercloud and overcloud).

If SSL is enabled, several IPtables rules are created without a
port specified, which opens all traffic for TCP protocol. Example
of rule:
-A INPUT -p tcp -m comment --comment "100 glance_registry_haproxy_ssl"
-m state --state NEW -j ACCEPT

Comment 2 Summer Long 2017-01-03 02:13:32 UTC
Created puppet-tripleo tracking bugs for this issue:

Affects: openstack-rdo [bug 1409689]

Comment 3 Summer Long 2017-01-04 00:15:07 UTC
Acknowledgments:

Name: Ben Nemec (Red Hat)

Comment 4 errata-xmlrpc 2017-01-05 14:37:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:0025 https://rhn.redhat.com/errata/RHSA-2017-0025.html