Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1594333 - [Deployment] Karaf shell should only be exposed to internal API network
[Deployment] Karaf shell should only be exposed to internal API network
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-opendaylight (Show other bugs)
13.0 (Queens)
Unspecified Unspecified
high Severity high
: z1
: 13.0 (Queens)
Assigned To: Tim Rozet
Tomas Jamrisko
Deployment
: Security, Triaged, ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-22 12:14 EDT by Daniel Farrell
Modified: 2018-10-18 03:22 EDT (History)
12 users (show)

See Also:
Fixed In Version: puppet-opendaylight-8.1.2-2.38977efgit.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, the Karaf shell (the management shell for OpenDaylight) was not bound to a specific IP on port 8101, causing the Karaf shell to listen on the public-facing, external network. This created a security vulnerability, because the external network could be used to access OpenDaylight on the port. This update binds the Karaf shell to the internal API network IP during deployment, which makes the Karaf shell only accessible on the private internal API network.
Story Points: ---
Clone Of:
Environment:
N/A
Last Closed: 2018-07-19 10:27:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenDaylight Bug INTPAK-185 None None None 2018-06-28 10:50 EDT
OpenDaylight gerrit 73588 None None None 2018-06-28 15:57 EDT
OpenDaylight gerrit 73610 None None None 2018-06-29 11:08 EDT
Red Hat Product Errata RHSA-2018:2214 None None None 2018-07-19 10:28 EDT

  None (edit)
Description Daniel Farrell 2018-06-22 12:14:37 EDT 
The OpenDaylight Karaf shell should only be accessible from the admin network (TODO: is that the right network name?). It's currently listening on all IPs, which is insecure.


[heat-admin@controller-0 ~]$ sudo netstat -tulpn | grep 8101
tcp 0 0 0.0.0.0:8101 0.0.0.0:* LISTEN 36976/java 
[heat-admin@controller-0 ~]$ sudo netstat -tulpn | grep 8081
tcp 0 0 192.168.24.11:8081 0.0.0.0:* LISTEN 67377/haproxy 
tcp 0 0 172.17.1.13:8081 0.0.0.0:* LISTEN 67377/haproxy 
tcp 0 0 172.17.1.17:8081 0.0.0.0:* LISTEN 36976/java
Comment 15 errata-xmlrpc 2018-07-19 10:27:12 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2214
Comment 16 Tim Rozet 2018-07-24 10:53:53 EDT 
I just realized that although this fix improves the security, it was not that big of a security hole because the port was blocked by default in iptables:
https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/opendaylight-api.yaml#L110
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.