[Openstack-security] [Bug 1837339] Re: CIDR's of the form 12.34.56.78/0 should be an error
Jeremy Stanley
fungi at yuggoth.org
Thu Apr 2 03:09:46 UTC 2020
Per Tristan's suggestion, the VMT will treat this as a security
hardening opportunity, no advisory needed.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1837339
Title:
CIDR's of the form 12.34.56.78/0 should be an error
Status in OpenStack Dashboard (Horizon):
Confirmed
Status in neutron:
New
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
The problem is that some users do not understand how CIDRs work, and
incorrectly use /0 when they are trying to specify a single IP or a
subnet in an Access Rule. Unfortunately 12.34.56.78/0 means the same
thing as 0.0.0.0/0.
The proposed fix is to insist that /0 only be used with 0.0.0.0/0 and
the IPv6 equivalent ::/0 when entering or updating Access Rule CIDRs
in via the dashboard.
I am labeling this as a security vulnerability since it leads to naive
users creating instances with ports open to the world when they didn't
intend to do that.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1837339/+subscriptions
More information about the Openstack-security
mailing list