Bug 1690387

Summary: CVE-2019-9735 openstack-neutron: incorrect validation of port settings in iptables security group driver (OSSA-2019-001) [openstack-10]
Product: Red Hat OpenStack Reporter: Brian Haley <bhaley>
Component: openstack-neutronAssignee: Brian Haley <bhaley>
Status: CLOSED ERRATA QA Contact: Candido Campos <ccamposr>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 10.0 (Newton)CC: amuller, bcafarel, chrisw, jschluet, scohen, slinaber, slong
Target Milestone: z11Keywords: Security, SecurityTracking, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-9.4.1-40.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1690402 1691342 1691350 (view as bug list) Environment:
Last Closed: 2019-04-30 16:58:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1690402, 1690745, 1691342, 1691350    

Description Brian Haley 2019-03-19 11:49:01 UTC 
Cloned from launchpad bug 1818385.

Description:

This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112

Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules.
> unknown option "--dport"

Specification URL (additional information):

https://bugs.launchpad.net/neutron/+bug/1818385
Comment 2 Summer Long 2019-03-25 22:41:36 UTC 
Adding this as a security tracker to the CVE flaw, 1690745.
Comment 3 Summer Long 2019-03-25 22:49:35 UTC 
Changed the Summary syntax so that this can be recognized as a security bug.
Comment 14 errata-xmlrpc 2019-04-30 16:58:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0916