[Openstack] Openstack potential security breach via ipv6
Brian Haley
brian.haley at hpe.com
Fri Mar 4 18:20:26 UTC 2016
Icehouse is EOL, Kilo is close (2 months), from http://releases.openstack.org/
and all but one have been back-ported to Liberty.
https://review.openstack.org/#/c/268373/ might be the only one not back-ported,
I'll try that cherry-pick today.
-Brian
On 03/04/2016 10:39 AM, Vincent Godin wrote:
> I saw this behaviour on Icehouse and on Kilo releases
>
> Vincent
>
> 2016-03-03 14:45 GMT+01:00 Brian Haley <brian.haley at hpe.com
> <mailto:brian.haley at hpe.com>>:
>
> On 3/3/16 4:48 AM, Vincent Godin wrote:
>
> If you install Openstack using ipv4 but without disabling ipv6 (like
> almost all distrib) a VM in any tenant is able to connect to every
> daemon listening in ipv6 on the compute (ssh, libvirt and ...). This is
> du to the interfaces in the linux bridge attach to the VM which have
> ipv6 adresses by default and then are listening like all interfaces of
> the host. To do this, you just have to configure an ipv6 address on a VM
> of a tenant.
> To protect, you can just disable ipv6 or configure all daemon on the
> compute to listen only on ipv4 adresses
>
>
> You didn't say which version you are running, but we did address this issue
> in Liberty, with additional patches in Mitaka. Most changes have been
> backported to the stable branches.
>
> https://bugs.launchpad.net/nova/+bug/1470931
> https://bugs.launchpad.net/neutron/+bug/1302080
> https://bugs.launchpad.net/neutron/+bug/1534652
>
> https://review.openstack.org/#/c/198054/
> https://review.openstack.org/#/c/241076
> https://review.openstack.org/#/c/268373/
> https://review.openstack.org/#/c/275293/
>
> Those reviews should have links to the changes that were cherry-picked to
> stable.
>
> -Brian
>
>
More information about the Openstack
mailing list