Bug 1690745 (CVE-2019-9735)

Summary: CVE-2019-9735 openstack-neutron: incorrect validation of port settings in iptables security group driver
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amuller, bcafarel, chrisw, dbecker, jjoyce, jschluet, kbasil, lhh, lpeer, mburns, sclewis, scohen, slinaber, slong, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A validation flaw was discovered in the iptables firewall module in OpenStack Neutron. By setting a destination port in a security group rule, along with a protocol that does not support that option (for example, VRRP), an authenticated user could block further application of security group rules for instances from any project or tenant on the compute hosts to which it's applied. Only OpenStack deployments that use the iptables security group driver are affected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:51:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1690387, 1690746, 1691121, 1691122, 1691123    
Bug Blocks: 1690749    

Description Dhananjay Arunesh 2019-03-20 07:25:51 UTC 
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)


Reference:
https://bugs.launchpad.net/neutron/+bug/1818385
https://seclists.org/oss-sec/2019/q1/183

Upstream commit:
https://git.openstack.org/cgit/openstack/neutron/commit/?id=8c213e45902e21d2fe00639ef7d92b35304bde82

Upstream Patches:
https://git.openstack.org/cgit/openstack/neutron/patch/?id=8c213e45902e21d2fe00639ef7d92b35304bde82
https://review.openstack.org/640619 
https://review.openstack.org/640790 
https://review.openstack.org/640702
https://review.openstack.org/640685 
https://review.openstack.org/640619
Comment 1 Dhananjay Arunesh 2019-03-20 07:26:06 UTC 
Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1690746]
Comment 7 Summer Long 2019-03-25 23:01:52 UTC 
External References:

https://seclists.org/oss-sec/2019/q1/183
Comment 8 Summer Long 2019-03-25 23:03:57 UTC 
Red Hat OpenStack Platform versions 10, 13, and 14 are affected by this vulnerability.
Comment 11 errata-xmlrpc 2019-04-30 16:58:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0916 https://access.redhat.com/errata/RHSA-2019:0916
Comment 12 errata-xmlrpc 2019-04-30 17:23:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0935 https://access.redhat.com/errata/RHSA-2019:0935
Comment 13 errata-xmlrpc 2019-04-30 17:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:0879 https://access.redhat.com/errata/RHSA-2019:0879