Bug 1090132 - (CVE-2014-0187) CVE-2014-0187 openstack-neutron: security groups bypass through invalid CIDR
CVE-2014-0187 openstack-neutron: security groups bypass through invalid CIDR
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1090136 1090137 1099099 1099103 1099104
Blocks: 1090135
  Show dependency treegraph
Reported: 2014-04-22 12:22 EDT by Vincent Danen
Modified: 2016-04-26 15:58 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-07-17 00:48:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2014-04-22 12:22:44 EDT
OpenStack Security Advisory: 2014-014
CVE: CVE-2014-0187
Date: April 22, 2014
Title: Neutron security groups bypass through invalid CIDR
Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1

Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche
Telekom reported a vulnerability in Neutron security groups. By creating
a security group rule with an invalid CIDR, an authenticated user may
break openvswitch-agent process, preventing further rules from being
applied on the host. Note: removal of the faulty rule is not enough, the
openvswitch-agent must be restarted. All Neutron setups using Open
vSwitch are affected.

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.

Comment 2 Vincent Danen 2014-04-22 12:28:17 EDT
Created openstack-neutron tracking bugs for this issue:

Affects: fedora-20 [bug 1090136]
Comment 3 Ihar Hrachyshka 2014-05-21 07:13:24 EDT
This is a DoS security issue, you can break iptables-restore with it and effectively make later security rules created not working.

Steps to reproduce:
- neutron security-group-rule-create default --direction egress --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-prefix /32
- observe that OVS agent crashes as in https://bugs.launchpad.net/neutron/+bug/1300785
- observe that any new security rules added are not applied to firewall tables.
Comment 4 Fedora Update System 2014-05-28 19:52:37 EDT
openstack-neutron-2013.2.3-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 errata-xmlrpc 2014-07-17 00:28:11 EDT
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0899 https://rhn.redhat.com/errata/RHSA-2014-0899.html

Note You need to log in before you can comment on or make changes to this bug.