[Openstack-security] [Bug 1534322] Re: On new port, traffic flow is allowed before security groups are programmed

Tristan Cacqueray tdecacqu at redhat.com
Fri Jan 15 15:11:37 UTC 2016 

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534322

Title:
  On new port, traffic flow is allowed before security groups are
  programmed

Status in neutron:
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  --

  Description:
  During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed.

  File: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
  Funtion: process_network_ports

  Step-by-step:
  During the creation of a neutron port, the following calls are made:
  - treat_devices_added_or_updated
  - sg_agent.setup_port_filters
  - _bind_devices

  Before early November, process_network_ports called
  sg_agent.setup_port_filters before it called _bind_devices. This meant
  that security groups were programmed before traffic flow is enabled by
  _bind_devices, which sets the port-lvm mapping in br-int.

  Bug #1512636 reversed this order of operation, so that _bind_devices
  is called before sg_agent.setup_port_filters. This opens up a brief
  security hole, allowing traffic to flow for a short time before
  security groups are applied.

  Proposed solution:
  Revert bug# 1512636

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534322/+subscriptions

More information about the Openstack-security mailing list