Bug 1690745 (CVE-2019-9735) - CVE-2019-9735 openstack-neutron: incorrect validation of port settings in iptables security group driver
Summary: CVE-2019-9735 openstack-neutron: incorrect validation of port settings in ipt...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1690387 1690746 1691121 1691122 1691123
Blocks: 1690749
TreeView+ depends on / blocked
 
Reported: 2019-03-20 07:25 UTC by Dhananjay Arunesh
Modified: 2021-02-16 22:13 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A validation flaw was discovered in the iptables firewall module in OpenStack Neutron. By setting a destination port in a security group rule, along with a protocol that does not support that option (for example, VRRP), an authenticated user could block further application of security group rules for instances from any project or tenant on the compute hosts to which it's applied. Only OpenStack deployments that use the iptables security group driver are affected.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:51:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0879 0 None None None 2019-04-30 17:35:12 UTC
Red Hat Product Errata RHSA-2019:0916 0 None None None 2019-04-30 16:58:15 UTC
Red Hat Product Errata RHSA-2019:0935 0 None None None 2019-04-30 17:23:32 UTC

Description Dhananjay Arunesh 2019-03-20 07:25:51 UTC 
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)


Reference:
https://bugs.launchpad.net/neutron/+bug/1818385
https://seclists.org/oss-sec/2019/q1/183

Upstream commit:
https://git.openstack.org/cgit/openstack/neutron/commit/?id=8c213e45902e21d2fe00639ef7d92b35304bde82

Upstream Patches:
https://git.openstack.org/cgit/openstack/neutron/patch/?id=8c213e45902e21d2fe00639ef7d92b35304bde82
https://review.openstack.org/640619 
https://review.openstack.org/640790 
https://review.openstack.org/640702
https://review.openstack.org/640685 
https://review.openstack.org/640619
Comment 1 Dhananjay Arunesh 2019-03-20 07:26:06 UTC 
Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1690746]
Comment 7 Summer Long 2019-03-25 23:01:52 UTC 
External References:

https://seclists.org/oss-sec/2019/q1/183
Comment 8 Summer Long 2019-03-25 23:03:57 UTC 
Red Hat OpenStack Platform versions 10, 13, and 14 are affected by this vulnerability.
Comment 11 errata-xmlrpc 2019-04-30 16:58:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0916 https://access.redhat.com/errata/RHSA-2019:0916
Comment 12 errata-xmlrpc 2019-04-30 17:23:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0935 https://access.redhat.com/errata/RHSA-2019:0935
Comment 13 errata-xmlrpc 2019-04-30 17:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:0879 https://access.redhat.com/errata/RHSA-2019:0879
Note You need to log in before you can comment on or make changes to this bug.