[Openstack-security] [Bug 1534322] Re: On new port, traffic flow is allowed before security groups are programmed

OpenStack Infra 1534322 at bugs.launchpad.net
Tue Jan 19 12:01:19 UTC 2016 

Reviewed:  https://review.openstack.org/268194
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ca193d023285e5b5b1b07a5f673a9864e75a2d8d
Submitter: Jenkins
Branch:    stable/liberty

commit ca193d023285e5b5b1b07a5f673a9864e75a2d8d
Author: Kevin Benton <kevinbenton at buttewifi.com>
Date:   Fri Jan 15 15:22:43 2016 +0000

    Revert "Change function call order in ovs_neutron_agent."
    
    This reverts commit c5629d59e3699cbee0adbbd3c4b296431294d307.
    
    Change-Id: Ie8779fae4210e71e8a0416ecd35b97fe35d4276e
    Closes-Bug: #1534322


** Tags added: in-stable-liberty

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534322

Title:
  On new port, traffic flow is allowed before security groups are
  programmed

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  --

  Description:
  During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed.

  File: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
  Funtion: process_network_ports

  Step-by-step:
  During the creation of a neutron port, the following calls are made:
  - treat_devices_added_or_updated
  - sg_agent.setup_port_filters
  - _bind_devices

  Before early November, process_network_ports called
  sg_agent.setup_port_filters before it called _bind_devices. This meant
  that security groups were programmed before traffic flow is enabled by
  _bind_devices, which sets the port-lvm mapping in br-int.

  Bug #1512636 reversed this order of operation, so that _bind_devices
  is called before sg_agent.setup_port_filters. This opens up a brief
  security hole, allowing traffic to flow for a short time before
  security groups are applied.

  Proposed solution:
  Revert bug# 1512636

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534322/+subscriptions

More information about the Openstack-security mailing list