[Openstack-operators] Raising the degree of the scandal

George Shuklin george.shuklin at gmail.com
Sat May 16 21:28:26 UTC 2015


On 05/15/2015 07:48 PM, Jay Pipes wrote:
> On 05/15/2015 12:38 PM, George Shuklin wrote:
>> Just to let everyone know: broken antispoofing is not an 'security
>> issue' and the fix is not planned to be backported to Juno/kilo.
>>
>> https://bugs.launchpad.net/bugs/1274034
>>
>> What can I say? All hail devstack! Who care about production?
>
> George, I can understand you are frustrated with this issue and feel 
> strongly about it. However, I don't think notes like this are all that 
> productive.
>
> Would a more productive action be to tell the operator community a bit 
> about the vulnerability and suggest appropriate remedies to take?
>
Ok, sorry.

Short issue: If few tenants use same network (shared network) one tenant 
may disrupt network activities of other tenant by sending a specially 
crafted ARP packets on behave of the victim. Normally, Openstack 
prohibit usage of unauthorized addresses (this feature is called 
'antispoofing' and it is essential for multi-tenant clouds). This 
feature were subtly broken (malicious tenant may not use other addresses 
but still may disrupt activities of other tenants).

Finally, that bug has been fixed. But now they says 'oh, it is not that 
important, we will not backport it to current releases, only to 
"Libery"' because of new etables dependency.




More information about the OpenStack-operators mailing list