Bug 1695451

Summary: CVE-2019-10876 openstack-neutron: DOS via broken port range merging in security group [openstack-13-default]
Product: Red Hat OpenStack Reporter: Slawek Kaplonski <skaplons>
Component: openstack-neutronAssignee: Bernard Cafarelli <bcafarel>
Status: CLOSED ERRATA QA Contact: Roee Agiman <ragiman>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: amuller, bcafarel, chrisw, jpadman, ragiman, scohen, shdunne
Target Milestone: z6Keywords: Security, SecurityTracking, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-12.0.5-10.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1695450
: 1695452 (view as bug list) Environment:
Last Closed: 2019-04-30 17:23:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1695450    
Bug Blocks: 1695452, 1695883    
Deadline: 2020-02-28   

Description Slawek Kaplonski 2019-04-03 06:52:19 UTC 
+++ This bug was initially created as a clone of Bug #1695450 +++

It appears that we have found that neutron-openvswitch-agent appears to have a bug where two security group rules that have two different port ranges that overlap tied to the same parent security group will cause neutron to not be able to configure networks on the compute nodes where those security groups are present.
Those are the broken security rules: https://pastebin.canonical.com/p/wSy8RSXt85/
Here is the log when we discovered the issue: https://pastebin.canonical.com/p/wvFKjNWydr/

It affects only openvswitch firewall driver.

Backports proposed U/S: https://review.openstack.org/#/q/I17ab643abbd2ec21eda4ae1dfb9abf2d4b0657f2
Comment 2 msiddiqu 2019-04-05 12:47:59 UTC 
A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 28-Feb-2020.

Refer to this bug's Description for information about how to resolve this bug.
Comment 12 errata-xmlrpc 2019-04-30 17:23:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0935