Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1607822 - (CVE-2018-14635) CVE-2018-14635 openstack-neutron: A router interface out of subnet IP range results in a denial of service
CVE-2018-14635 openstack-neutron: A router interface out of subnet IP range r...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180321,repor...
: Security
Depends On: 1607824 1608088 1608090 1608084 1608085 1608086 1608087 1608089
Blocks: 1607826
  Show dependency treegraph
 
Reported: 2018-07-24 07:02 EDT by Andrej Nemec
Modified: 2018-09-23 23:16 EDT (History)
21 users (show)

See Also:
Fixed In Version: openstack-neutron 13.0.0.0b2, openstack-neutron 12.0.3, openstack-neutron 11.0.5
Doc Type: If docs needed, set a value
Doc Text:
When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 575444 None master: MERGED neutron: Disallow router interface out of subnet IP range (I32e76a83443dd8e7d79b396499747f29b4762e92) 2018-09-07 16:41 EDT
Red Hat Product Errata RHSA-2018:2710 None None None 2018-09-17 12:46 EDT
Red Hat Product Errata RHSA-2018:2715 None None None 2018-09-17 12:52 EDT

  None (edit)
Description Andrej Nemec 2018-07-24 07:02:35 EDT 
It was found that a non privileged tenant can add a router interface to a shared / external network's subnet with an IP address outside the subnet's allocation pool. This can result in a Denial of Service.

Upstream issue:

https://bugs.launchpad.net/neutron/+bug/1757482

Upstream patch:

https://git.openstack.org/cgit/openstack/neutron/commit/?id=54aa6e81cb17b33ce4d5d469cc11dec2869c762d
Comment 1 Andrej Nemec 2018-07-24 07:03:04 EDT 
Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1607824]
Comment 2 Assaf Muller 2018-07-24 10:27:29 EDT 
Hi Andrej,

The fix has been merged to the upstream master branch and backports were proposed in Ocata to Queens (equiv. to OSP 11 to 13). We'll need to do a downstream only backport to OSP 10. Were you going to open RHBZs on openstack-neutron branches 10 to 13?
Comment 3 Andrej Nemec 2018-07-24 10:30:33 EDT 
(In reply to Assaf Muller from comment #2)
> Hi Andrej,
> 
> The fix has been merged to the upstream master branch and backports were
> proposed in Ocata to Queens (equiv. to OSP 11 to 13). We'll need to do a
> downstream only backport to OSP 10. Were you going to open RHBZs on
> openstack-neutron branches 10 to 13?

Hi Assaf,

I have been asked to open the flaw by Joshua Padman. I believe that our Openstack analysis team will get to this shortly and open the relevant trackers. I'll leave it up to their analysis to figure out which of our OSPs need the backports.
Comment 4 James Hebden 2018-07-24 19:02:43 EDT 
RHOSP 7.0 through 14.0 all exhibit this behaviour, so I am creating RHBZs for those versions, with the goal of downstream backports being performed for those releases too.
In RHOSP 9.0 through 13.0, the function _validate_router_port_info is addressed by the linked upstream patch in OpenStack gerrit, potentially with small adjustments so everything applies cleanly. In addition, the neutron
In RHOSP 7.0 and 8.0, the function _validate_router_port_info (which the upstream patches apply to) in db/l3_db.py had not been introduced, so does not exist in 7.0 and 8.0's l3_db.py - the simple validation logic is however consolidated in the _add_interface_by_port function in these older releases. Given no similar protection logic is present in these releases, I suggest that in order to address this for those releases, additional backporting work would be required to add validation to _add_interface_by_port.
Comment 6 Joshua Padman 2018-07-25 00:07:47 EDT 
Clearing my needinfo as James has suitably answered the query.
Comment 13 errata-xmlrpc 2018-09-17 12:46:50 EDT 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:2710 https://access.redhat.com/errata/RHSA-2018:2710
Comment 14 errata-xmlrpc 2018-09-17 12:52:13 EDT 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2018:2715 https://access.redhat.com/errata/RHSA-2018:2715
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.