========================================================================= OSSA-2019-001: Unsupported dport option prevents applying security groups ========================================================================= :Date: March 13, 2019 :CVE: CVE-2019-9735 Affects ~~~~~~~ - Neutron: <10.0.8, >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3 Description ~~~~~~~~~~~ Erik Olof Gunnar Andersson with Blizzard Entertainment reported a vulnerability in Neutron's iptables firewall module. By setting a destination port in a security group rule along with a protocol which doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. Only deployments using the iptables security group driver are affected. Patches ~~~~~~~ - https://review.openstack.org/640791 (Ocata) - https://review.openstack.org/640790 (Pike) - https://review.openstack.org/640702 (Queens) - https://review.openstack.org/640685 (Rocky) - https://review.openstack.org/640619 (Stein) Credits ~~~~~~~ - Erik Olof Gunnar Andersson from Blizzard Entertainment (CVE-2019-9735) References ~~~~~~~~~~ - https://launchpad.net/bugs/1818385 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735 -- Jeremy Stanley