Bug 1473792 - (CVE-2017-7543) CVE-2017-7543 openstack-neutron: iptables not active after update
CVE-2017-7543 openstack-neutron: iptables not active after update
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170808,repo...
: Security
Depends On: 1474116 1474113 1474114 1474115 1474117 1474118 1474119
Blocks: 1473793
  Show dependency treegraph
 
Reported: 2017-07-21 12:44 EDT by Kurt Seifried
Modified: 2017-08-10 13:03 EDT (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A race-condition flaw was discovered in openstack-neutron where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2017-07-21 12:44:58 EDT
Paul Needle of Red Hat reports:

iptables/firewalld is not active on overcloud compute and controller nodes, following an 'openstack overcloud update ...' procedure run in a production environment yesterday. This has major impact given that there are end-customer workloads running in this environment.
Comment 1 Summer Long 2017-07-23 18:10:40 EDT
Acknowledgements:

Name: Paul Needle (Red Hat)
Comment 4 Ihar Hrachyshka 2017-07-25 11:40:41 EDT
All bugs except OSP12 are in MODIFIED now. OSP12 will get the fix through regular RDO sync process (we can leave it without a OSP fix for the time being because it was not released yet).
Comment 5 Summer Long 2017-07-25 19:10:48 EDT
Mitigation:

To determine whether your system is impacted, run:
$ sudo sysctl net.bridge.bridge-nf-call-ip6tables 
$ sudo sysctl net.bridge.bridge-nf-call-iptables
Both should be set to 1

To reset security groups to '1':
1. Apply the following configuration modification:
$ sudo sed -i.back -e 's/reapply_sysctl = 0/reapply_sysctl = 1/' /etc/tuned/tuned-main.conf

2. Ensure the modification was successful:
$ grep reapply_sysctl /etc/tuned/tuned-main.conf
should be "reapply_sysctl = 1"

3. Check whether tuned is running:
$ sudo systemctl status tuned

4. Restart tuned to apply the new configuration:
$ sudo systemctl restart tuned

5. Recheck your security groups and the status of 'reapply_sysctl'.
Comment 11 errata-xmlrpc 2017-08-08 18:31:43 EDT
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:2451 https://access.redhat.com/errata/RHSA-2017:2451
Comment 12 errata-xmlrpc 2017-08-08 18:32:13 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:2450 https://access.redhat.com/errata/RHSA-2017:2450
Comment 13 errata-xmlrpc 2017-08-08 18:32:40 EDT
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2017:2449 https://access.redhat.com/errata/RHSA-2017:2449
Comment 14 errata-xmlrpc 2017-08-08 18:33:05 EDT
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:2448 https://access.redhat.com/errata/RHSA-2017:2448
Comment 15 errata-xmlrpc 2017-08-08 18:33:35 EDT
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:2447 https://access.redhat.com/errata/RHSA-2017:2447
Comment 16 errata-xmlrpc 2017-08-08 18:51:34 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2017:2452 https://access.redhat.com/errata/RHSA-2017:2452

Note You need to log in before you can comment on or make changes to this bug.