Red Hat Bugzilla – Bug 1473792
CVE-2017-7543 openstack-neutron: iptables not active after update
Last modified: 2018-10-09 01:10:47 EDT
Paul Needle of Red Hat reports: iptables/firewalld is not active on overcloud compute and controller nodes, following an 'openstack overcloud update ...' procedure run in a production environment yesterday. This has major impact given that there are end-customer workloads running in this environment.
Acknowledgements: Name: Paul Needle (Red Hat)
All bugs except OSP12 are in MODIFIED now. OSP12 will get the fix through regular RDO sync process (we can leave it without a OSP fix for the time being because it was not released yet).
Mitigation: To determine whether your system is impacted, run: $ sudo sysctl net.bridge.bridge-nf-call-ip6tables $ sudo sysctl net.bridge.bridge-nf-call-iptables Both should be set to 1 To reset security groups to '1': 1. Apply the following configuration modification: $ sudo sed -i.back -e 's/reapply_sysctl = 0/reapply_sysctl = 1/' /etc/tuned/tuned-main.conf 2. Ensure the modification was successful: $ grep reapply_sysctl /etc/tuned/tuned-main.conf should be "reapply_sysctl = 1" 3. Check whether tuned is running: $ sudo systemctl status tuned 4. Restart tuned to apply the new configuration: $ sudo systemctl restart tuned 5. Recheck your security groups and the status of 'reapply_sysctl'.
This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2017:2451 https://access.redhat.com/errata/RHSA-2017:2451
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2017:2450 https://access.redhat.com/errata/RHSA-2017:2450
This issue has been addressed in the following products: Red Hat OpenStack Platform 11.0 (Ocata) Via RHSA-2017:2449 https://access.redhat.com/errata/RHSA-2017:2449
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:2448 https://access.redhat.com/errata/RHSA-2017:2448
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:2447 https://access.redhat.com/errata/RHSA-2017:2447
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2017:2452 https://access.redhat.com/errata/RHSA-2017:2452
Hi, I checked the errata https://access.redhat.com/errata/RHSA-2017:2450 to get fix for vulnerability CVE-2017-7543 for openstack kilo, but it says to update the openstack-neutron rpm package. Can I get access to specific code fix made to fix this vulnerability? Thanks.
Created attachment 1491473 [details] RHOSP7 difffs for three files
Created attachment 1491474 [details] RHOSP7 diff for this CVE
Hi Suraj, Because this flaw only impacts Red Hat OpenStack Platform versions and not upstream, I can't offer an upstream code link. However, I have attached a file to this bug with a diff of the Red Hat updates (matching the errata you quoted). Hope this helps, Summer
Thanks Summer. This helped.