[Openstack-security] [Bug 1534322] Re: On new port, traffic flow is allowed before security groups are programmed

Tristan Cacqueray tdecacqu at redhat.com
Wed Aug 23 00:36:59 UTC 2017 

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  Description:
  During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed.
  
  File: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
  Funtion: process_network_ports
  
  Step-by-step:
  During the creation of a neutron port, the following calls are made:
  - treat_devices_added_or_updated
  - sg_agent.setup_port_filters
  - _bind_devices
  
  Before early November, process_network_ports called
  sg_agent.setup_port_filters before it called _bind_devices. This meant
  that security groups were programmed before traffic flow is enabled by
  _bind_devices, which sets the port-lvm mapping in br-int.
  
  Bug #1512636 reversed this order of operation, so that _bind_devices is
  called before sg_agent.setup_port_filters. This opens up a brief
  security hole, allowing traffic to flow for a short time before security
  groups are applied.
  
  Proposed solution:
  Revert bug# 1512636

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534322

Title:
  On new port, traffic flow is allowed before security groups are
  programmed

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Description:
  During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed.

  File: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
  Funtion: process_network_ports

  Step-by-step:
  During the creation of a neutron port, the following calls are made:
  - treat_devices_added_or_updated
  - sg_agent.setup_port_filters
  - _bind_devices

  Before early November, process_network_ports called
  sg_agent.setup_port_filters before it called _bind_devices. This meant
  that security groups were programmed before traffic flow is enabled by
  _bind_devices, which sets the port-lvm mapping in br-int.

  Bug #1512636 reversed this order of operation, so that _bind_devices
  is called before sg_agent.setup_port_filters. This opens up a brief
  security hole, allowing traffic to flow for a short time before
  security groups are applied.

  Proposed solution:
  Revert bug# 1512636

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534322/+subscriptions

More information about the Openstack-security mailing list