[Openstack] Openstack potential security breach via ipv6

Shinobu Kinjo shinobu.kj at gmail.com
Fri Mar 4 01:41:09 UTC 2016


@Brian,

That is exactly what I want to know.

Cheers,
S

On Thu, Mar 3, 2016 at 10:45 PM, Brian Haley <brian.haley at hpe.com> wrote:
> On 3/3/16 4:48 AM, Vincent Godin wrote:
>>
>> If you install Openstack using ipv4 but without disabling ipv6 (like
>> almost all distrib) a VM in any tenant is able to connect to every
>> daemon listening in ipv6 on the compute (ssh, libvirt and  ...). This is
>> du to the interfaces in the linux bridge attach to the VM which have
>> ipv6 adresses by default and then are listening like all interfaces of
>> the host. To do this, you just have to configure an ipv6 address on a VM
>> of a tenant.
>> To protect, you can just disable ipv6 or configure all daemon on the
>> compute to listen only on ipv4 adresses
>
>
> You didn't say which version you are running, but we did address this issue
> in Liberty, with additional patches in Mitaka.  Most changes have been
> backported to the stable branches.
>
> https://bugs.launchpad.net/nova/+bug/1470931
> https://bugs.launchpad.net/neutron/+bug/1302080
> https://bugs.launchpad.net/neutron/+bug/1534652
>
> https://review.openstack.org/#/c/198054/
> https://review.openstack.org/#/c/241076
> https://review.openstack.org/#/c/268373/
> https://review.openstack.org/#/c/275293/
>
> Those reviews should have links to the changes that were cherry-picked to
> stable.
>
> -Brian
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



-- 
Email:
shinobu at linux.com
GitHub:
shinobu-x
Blog:
Life with Distributed Computational System based on OpenSource




More information about the Openstack mailing list