1695451 – CVE-2019-10876 openstack-neutron: DOS via broken port range merging in security group [openstack-13-default]

Bug 1695451 - CVE-2019-10876 openstack-neutron: DOS via broken port range merging in security group [openstack-13-default]

Summary: CVE-2019-10876 openstack-neutron: DOS via broken port range merging in securi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2020-02-28
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z6
Target Release:	13.0 (Queens)
Assignee:	Bernard Cafarelli
QA Contact:	Roee Agiman
Docs Contact:
URL:
Whiteboard:
Depends On:	1695450
Blocks:	1695452 CVE-2019-10876
TreeView+	depends on / blocked

Reported:	2019-04-03 06:52 UTC by Slawek Kaplonski
Modified:	2022-07-09 15:09 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-neutron-12.0.5-10.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1695450
Clones:	1695452 (view as bug list)
Environment:
Last Closed:	2019-04-30 17:23:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1813007	None	None	None	2019-04-03 06:52:18 UTC
OpenStack gerrit	648004	None	None	None	2019-04-03 12:08:58 UTC
Red Hat Issue Tracker	OSP-17502	None	None	None	2022-07-09 15:09:38 UTC
Red Hat Product Errata	RHSA-2019:0935	None	None	None	2019-04-30 17:23:46 UTC

Description Slawek Kaplonski 2019-04-03 06:52:19 UTC

+++ This bug was initially created as a clone of Bug #1695450 +++

It appears that we have found that neutron-openvswitch-agent appears to have a bug where two security group rules that have two different port ranges that overlap tied to the same parent security group will cause neutron to not be able to configure networks on the compute nodes where those security groups are present.
Those are the broken security rules: https://pastebin.canonical.com/p/wSy8RSXt85/
Here is the log when we discovered the issue: https://pastebin.canonical.com/p/wvFKjNWydr/

It affects only openvswitch firewall driver.

Backports proposed U/S: https://review.openstack.org/#/q/I17ab643abbd2ec21eda4ae1dfb9abf2d4b0657f2

Comment 2 msiddiqu 2019-04-05 12:47:59 UTC

A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 28-Feb-2020.

Refer to this bug's Description for information about how to resolve this bug.

Comment 12 errata-xmlrpc 2019-04-30 17:23:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0935

Note You need to log in before you can comment on or make changes to this bug.