Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1409687 - (CVE-2016-9599) CVE-2016-9599 puppet-tripleo: if ssl is enabled, traffic is open on both undercloud and overcloud
CVE-2016-9599 puppet-tripleo: if ssl is enabled, traffic is open on both unde...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20161222,repo...
: Security
Depends On: 1409688 1409689 1409690 1409798
Blocks: 1408133
  Show dependency treegraph
 
Reported: 2017-01-02 21:03 EST by Summer Long
Modified: 2018-04-23 16:03 EDT (History)
20 users (show)

See Also:
Fixed In Version: puppet-tripleo 5.5.0, puppet-tripleo 6.2.0
Doc Type: If docs needed, set a value
Doc Text:
An access-control flaw was discovered in puppet-tripleo's IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. Some API services in Red Hat OpenStack Platform director are not exposed to public networks, which meant their $public_ssl_port value was set to empty (for example, openstack-glance, which is deployed by default on both undercloud and overcloud). If SSL was enabled, a malicious user could use these open ports to gain access to unauthorized resources.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-21 22:57:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1651831 None None None 2017-01-03 09:39 EST
Red Hat Product Errata RHSA-2017:0025 normal SHIPPED_LIVE Important: puppet-tripleo security update 2017-01-05 14:36:51 EST

  None (edit)
Description Summer Long 2017-01-02 21:03:32 EST 
Puppet IPtables rules management allows the creation of TCP / UDP rules with empty port value.Some API services in Director are not exposed to public networks,
which means $public_ssl_port are empty for some services (for example, 
Glance, which is deployed by default on both undercloud and overcloud).

If SSL is enabled, several IPtables rules are created without a
port specified, which opens all traffic for TCP protocol. Example
of rule:
-A INPUT -p tcp -m comment --comment "100 glance_registry_haproxy_ssl"
-m state --state NEW -j ACCEPT
Comment 2 Summer Long 2017-01-02 21:13:32 EST 
Created puppet-tripleo tracking bugs for this issue:

Affects: openstack-rdo [bug 1409689]
Comment 3 Summer Long 2017-01-03 19:15:07 EST 
Acknowledgments:

Name: Ben Nemec (Red Hat)
Comment 4 errata-xmlrpc 2017-01-05 09:37:50 EST 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:0025 https://rhn.redhat.com/errata/RHSA-2017-0025.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.