1594333 – [Deployment] Karaf shell should only be exposed to internal API network

Bug 1594333 - [Deployment] Karaf shell should only be exposed to internal API network

Summary: [Deployment] Karaf shell should only be exposed to internal API network

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-opendaylight
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z1
Target Release:	13.0 (Queens)
Assignee:	Tim Rozet
QA Contact:	Tomas Jamrisko
Docs Contact:
URL:
Whiteboard:	Deployment
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-22 16:14 UTC by Daniel Farrell
Modified:	2022-07-09 11:34 UTC (History)
CC List:	12 users (show)
Fixed In Version:	puppet-opendaylight-8.1.2-2.38977efgit.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, the Karaf shell (the management shell for OpenDaylight) was not bound to a specific IP on port 8101, causing the Karaf shell to listen on the public-facing, external network. This created a security vulnerability, because the external network could be used to access OpenDaylight on the port. This update binds the Karaf shell to the internal API network IP during deployment, which makes the Karaf shell only accessible on the private internal API network.
Clone Of:
Environment:	N/A
Last Closed:	2018-07-19 14:27:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenDaylight Bug	INTPAK-185	None	None	None	2018-06-28 14:50:07 UTC
OpenDaylight gerrit	73588	None	None	None	2018-06-28 19:57:08 UTC
OpenDaylight gerrit	73610	None	None	None	2018-06-29 15:08:49 UTC
Red Hat Issue Tracker	ODL-263	None	None	None	2022-07-09 11:34:26 UTC
Red Hat Issue Tracker	OSP-17204	None	None	None	2022-07-09 11:34:28 UTC
Red Hat Product Errata	RHSA-2018:2214	None	None	None	2018-07-19 14:28:01 UTC

Description Daniel Farrell 2018-06-22 16:14:37 UTC

The OpenDaylight Karaf shell should only be accessible from the admin network (TODO: is that the right network name?). It's currently listening on all IPs, which is insecure.


[heat-admin@controller-0 ~]$ sudo netstat -tulpn | grep 8101
tcp 0 0 0.0.0.0:8101 0.0.0.0:* LISTEN 36976/java 
[heat-admin@controller-0 ~]$ sudo netstat -tulpn | grep 8081
tcp 0 0 192.168.24.11:8081 0.0.0.0:* LISTEN 67377/haproxy 
tcp 0 0 172.17.1.13:8081 0.0.0.0:* LISTEN 67377/haproxy 
tcp 0 0 172.17.1.17:8081 0.0.0.0:* LISTEN 36976/java

Comment 15 errata-xmlrpc 2018-07-19 14:27:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2214

Comment 16 Tim Rozet 2018-07-24 14:53:53 UTC

I just realized that although this fix improves the security, it was not that big of a security hole because the port was blocked by default in iptables:
https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/opendaylight-api.yaml#L110

Note You need to log in before you can comment on or make changes to this bug.