[Openstack-security] [Bug 1534322] Fix proposed to neutron (stable/liberty)
OpenStack Infra
1534322 at bugs.launchpad.net
Fri Jan 15 15:23:20 UTC 2016
Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/268194
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534322
Title:
On new port, traffic flow is allowed before security groups are
programmed
Status in neutron:
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
--
Description:
During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed.
File: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
Funtion: process_network_ports
Step-by-step:
During the creation of a neutron port, the following calls are made:
- treat_devices_added_or_updated
- sg_agent.setup_port_filters
- _bind_devices
Before early November, process_network_ports called
sg_agent.setup_port_filters before it called _bind_devices. This meant
that security groups were programmed before traffic flow is enabled by
_bind_devices, which sets the port-lvm mapping in br-int.
Bug #1512636 reversed this order of operation, so that _bind_devices
is called before sg_agent.setup_port_filters. This opens up a brief
security hole, allowing traffic to flow for a short time before
security groups are applied.
Proposed solution:
Revert bug# 1512636
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534322/+subscriptions
More information about the Openstack-security
mailing list