Bug 1594978 - CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration [openstack-rdo]
Summary: CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ...
Status: NEW
Alias: None
Product: RDO
Classification: Community
Component: openstack-neutron
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: trunk
Assignee: Assaf Muller
QA Contact: Ofer Blaut
Depends On:
Blocks: CVE-2018-14636
TreeView+ depends on / blocked
Reported: 2018-06-25 21:57 UTC by Laura Pardo
Modified: 2018-09-10 17:05 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Laura Pardo 2018-06-25 21:57:38 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:

When submitting as an update, use the fedpkg template provided in the next
comment(s).  This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.

Comment 1 Miguel Angel Ajo 2018-08-10 15:01:15 UTC
Oh, the patches referenced on the bz are incorrect for this bz.

Those patches address the case when an agent (dhcp/l3/etc) get's a port plugged, but then the openvswitch-agent is not able to tag the port, it remains untagged, and it's a trunk port (https://bugs.launchpad.net/neutron/+bug/1767422 ) 

But those patches *are not* addressing the instances themselves.

This needs to be addressed in nova, or os-vif by plugging the port in vlan 4095, then, when neutron is ready will re-plug to the right vlan.

Note You need to log in before you can comment on or make changes to this bug.