Bug 1473792 (CVE-2017-7543)

Summary: CVE-2017-7543 openstack-neutron: iptables not active after update
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amuller, aortega, apevec, astafeye, chrisw, cvsbot-xmlrpc, ekuris, gcheresh, hbrock, ihrachys, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, morazi, nyechiel, rbryant, sclewis, security-response-team, slinaber, slong, srevivo, suraj.chandegave, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A race-condition flaw was discovered in openstack-neutron where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-14 00:39:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1474113, 1474114, 1474115, 1474116, 1474117, 1474118, 1474119    
Bug Blocks: 1473793    
Attachments:
Description Flags
RHOSP7 difffs for three files
none
RHOSP7 diff for this CVE none

Description Kurt Seifried 2017-07-21 16:44:58 UTC 
Paul Needle of Red Hat reports:

iptables/firewalld is not active on overcloud compute and controller nodes, following an 'openstack overcloud update ...' procedure run in a production environment yesterday. This has major impact given that there are end-customer workloads running in this environment.
Comment 1 Summer Long 2017-07-23 22:10:40 UTC 
Acknowledgements:

Name: Paul Needle (Red Hat)
Comment 4 Ihar Hrachyshka 2017-07-25 15:40:41 UTC 
All bugs except OSP12 are in MODIFIED now. OSP12 will get the fix through regular RDO sync process (we can leave it without a OSP fix for the time being because it was not released yet).
Comment 5 Summer Long 2017-07-25 23:10:48 UTC 
Mitigation:

To determine whether your system is impacted, run:
$ sudo sysctl net.bridge.bridge-nf-call-ip6tables 
$ sudo sysctl net.bridge.bridge-nf-call-iptables
Both should be set to 1

To reset security groups to '1':
1. Apply the following configuration modification:
$ sudo sed -i.back -e 's/reapply_sysctl = 0/reapply_sysctl = 1/' /etc/tuned/tuned-main.conf

2. Ensure the modification was successful:
$ grep reapply_sysctl /etc/tuned/tuned-main.conf
should be "reapply_sysctl = 1"

3. Check whether tuned is running:
$ sudo systemctl status tuned

4. Restart tuned to apply the new configuration:
$ sudo systemctl restart tuned

5. Recheck your security groups and the status of 'reapply_sysctl'.
Comment 11 errata-xmlrpc 2017-08-08 22:31:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:2451 https://access.redhat.com/errata/RHSA-2017:2451
Comment 12 errata-xmlrpc 2017-08-08 22:32:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:2450 https://access.redhat.com/errata/RHSA-2017:2450
Comment 13 errata-xmlrpc 2017-08-08 22:32:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2017:2449 https://access.redhat.com/errata/RHSA-2017:2449
Comment 14 errata-xmlrpc 2017-08-08 22:33:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:2448 https://access.redhat.com/errata/RHSA-2017:2448
Comment 15 errata-xmlrpc 2017-08-08 22:33:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:2447 https://access.redhat.com/errata/RHSA-2017:2447
Comment 16 errata-xmlrpc 2017-08-08 22:51:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2017:2452 https://access.redhat.com/errata/RHSA-2017:2452
Comment 17 Suraj Chandegave 2018-10-05 13:03:55 UTC 
Hi,

I checked the errata https://access.redhat.com/errata/RHSA-2017:2450 to get fix for vulnerability CVE-2017-7543 for openstack kilo, but it says to update the openstack-neutron rpm package. Can I get access to specific code fix made to fix this vulnerability?

Thanks.
Comment 18 Summer Long 2018-10-08 00:14:47 UTC 
Created attachment 1491473 [details]
RHOSP7 difffs for three files
Comment 19 Summer Long 2018-10-08 00:17:08 UTC 
Created attachment 1491474 [details]
RHOSP7 diff for this CVE
Comment 20 Summer Long 2018-10-08 00:23:35 UTC 
Hi Suraj, Because this flaw only impacts Red Hat OpenStack Platform versions and not upstream, I can't offer an upstream code link. However, I have attached a file to this bug with a diff of the Red Hat updates (matching the errata you quoted). 
Hope this helps, Summer
Comment 21 Suraj Chandegave 2018-10-09 05:10:47 UTC 
Thanks Summer. This helped.