OpenStack Security Advisory: 2014-014 CVE: CVE-2014-0187 Date: April 22, 2014 Title: Neutron security groups bypass through invalid CIDR Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom) Products: Neutron Versions: 2013.1 to 2013.2.3, and 2014.1 Description: Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche Telekom reported a vulnerability in Neutron security groups. By creating a security group rule with an invalid CIDR, an authenticated user may break openvswitch-agent process, preventing further rules from being applied on the host. Note: removal of the faulty rule is not enough, the openvswitch-agent must be restarted. All Neutron setups using Open vSwitch are affected. Juno (development branch) fix: https://review.openstack.org/59212 Icehouse fix: https://review.openstack.org/88674 Havana fix: https://review.openstack.org/88057 Notes: This fix will be included in the juno-1 development milestone and in future 2013.2.4 and 2014.1.1 releases. References: https://launchpad.net/bugs/1300785
Created openstack-neutron tracking bugs for this issue: Affects: fedora-20 [bug 1090136]
This is a DoS security issue, you can break iptables-restore with it and effectively make later security rules created not working. Steps to reproduce: - neutron security-group-rule-create default --direction egress --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-prefix /32 - observe that OVS agent crashes as in https://bugs.launchpad.net/neutron/+bug/1300785 - observe that any new security rules added are not applied to firewall tables.
openstack-neutron-2013.2.3-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0899 https://rhn.redhat.com/errata/RHSA-2014-0899.html