Bug 1473792 (CVE-2017-7543) - CVE-2017-7543 openstack-neutron: iptables not active after update
Summary: CVE-2017-7543 openstack-neutron: iptables not active after update
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1474113 1474114 1474115 1474116 1474117 1474118 1474119
Blocks: 1473793
TreeView+ depends on / blocked
 
Reported: 2017-07-21 16:44 UTC by Kurt Seifried
Modified: 2019-09-29 14:16 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A race-condition flaw was discovered in openstack-neutron where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
Clone Of:
Environment:
Last Closed: 2017-12-14 00:39:16 UTC


Attachments (Terms of Use)
RHOSP7 difffs for three files (593 bytes, text/plain)
2018-10-08 00:14 UTC, Summer Long
no flags Details
RHOSP7 diff for this CVE (1.72 KB, text/plain)
2018-10-08 00:17 UTC, Summer Long
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2447 normal SHIPPED_LIVE Important: openstack-neutron security update 2017-08-09 02:31:02 UTC
Red Hat Product Errata RHSA-2017:2448 normal SHIPPED_LIVE Important: openstack-neutron security update 2017-08-09 02:30:46 UTC
Red Hat Product Errata RHSA-2017:2449 normal SHIPPED_LIVE Important: openstack-neutron security update 2017-08-09 02:30:34 UTC
Red Hat Product Errata RHSA-2017:2450 normal SHIPPED_LIVE Important: openstack-neutron security update 2017-08-09 02:29:56 UTC
Red Hat Product Errata RHSA-2017:2451 normal SHIPPED_LIVE Important: openstack-neutron security update 2017-08-09 02:29:29 UTC
Red Hat Product Errata RHSA-2017:2452 normal SHIPPED_LIVE Important: openstack-neutron security update 2017-08-09 02:50:56 UTC

Description Kurt Seifried 2017-07-21 16:44:58 UTC
Paul Needle of Red Hat reports:

iptables/firewalld is not active on overcloud compute and controller nodes, following an 'openstack overcloud update ...' procedure run in a production environment yesterday. This has major impact given that there are end-customer workloads running in this environment.

Comment 1 Summer Long 2017-07-23 22:10:40 UTC
Acknowledgements:

Name: Paul Needle (Red Hat)

Comment 4 Ihar Hrachyshka 2017-07-25 15:40:41 UTC
All bugs except OSP12 are in MODIFIED now. OSP12 will get the fix through regular RDO sync process (we can leave it without a OSP fix for the time being because it was not released yet).

Comment 5 Summer Long 2017-07-25 23:10:48 UTC
Mitigation:

To determine whether your system is impacted, run:
$ sudo sysctl net.bridge.bridge-nf-call-ip6tables 
$ sudo sysctl net.bridge.bridge-nf-call-iptables
Both should be set to 1

To reset security groups to '1':
1. Apply the following configuration modification:
$ sudo sed -i.back -e 's/reapply_sysctl = 0/reapply_sysctl = 1/' /etc/tuned/tuned-main.conf

2. Ensure the modification was successful:
$ grep reapply_sysctl /etc/tuned/tuned-main.conf
should be "reapply_sysctl = 1"

3. Check whether tuned is running:
$ sudo systemctl status tuned

4. Restart tuned to apply the new configuration:
$ sudo systemctl restart tuned

5. Recheck your security groups and the status of 'reapply_sysctl'.

Comment 11 errata-xmlrpc 2017-08-08 22:31:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:2451 https://access.redhat.com/errata/RHSA-2017:2451

Comment 12 errata-xmlrpc 2017-08-08 22:32:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:2450 https://access.redhat.com/errata/RHSA-2017:2450

Comment 13 errata-xmlrpc 2017-08-08 22:32:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2017:2449 https://access.redhat.com/errata/RHSA-2017:2449

Comment 14 errata-xmlrpc 2017-08-08 22:33:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:2448 https://access.redhat.com/errata/RHSA-2017:2448

Comment 15 errata-xmlrpc 2017-08-08 22:33:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:2447 https://access.redhat.com/errata/RHSA-2017:2447

Comment 16 errata-xmlrpc 2017-08-08 22:51:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2017:2452 https://access.redhat.com/errata/RHSA-2017:2452

Comment 17 Suraj Chandegave 2018-10-05 13:03:55 UTC
Hi,

I checked the errata https://access.redhat.com/errata/RHSA-2017:2450 to get fix for vulnerability CVE-2017-7543 for openstack kilo, but it says to update the openstack-neutron rpm package. Can I get access to specific code fix made to fix this vulnerability?

Thanks.

Comment 18 Summer Long 2018-10-08 00:14:47 UTC
Created attachment 1491473 [details]
RHOSP7 difffs for three files

Comment 19 Summer Long 2018-10-08 00:17:08 UTC
Created attachment 1491474 [details]
RHOSP7 diff for this CVE

Comment 20 Summer Long 2018-10-08 00:23:35 UTC
Hi Suraj, Because this flaw only impacts Red Hat OpenStack Platform versions and not upstream, I can't offer an upstream code link. However, I have attached a file to this bug with a diff of the Red Hat updates (matching the errata you quoted). 
Hope this helps, Summer

Comment 21 Suraj Chandegave 2018-10-09 05:10:47 UTC
Thanks Summer. This helped.


Note You need to log in before you can comment on or make changes to this bug.