[Openstack] Openstack potential security breach via ipv6

Brian Haley brian.haley at hpe.com
Fri Mar 4 18:20:26 UTC 2016


Icehouse is EOL, Kilo is close (2 months), from http://releases.openstack.org/ 
and all but one have been back-ported to Liberty.

https://review.openstack.org/#/c/268373/ might be the only one not back-ported, 
I'll try that cherry-pick today.

-Brian

On 03/04/2016 10:39 AM, Vincent Godin wrote:
> I saw this behaviour on Icehouse and on Kilo releases
>
> Vincent
>
> 2016-03-03 14:45 GMT+01:00 Brian Haley <brian.haley at hpe.com
> <mailto:brian.haley at hpe.com>>:
>
>     On 3/3/16 4:48 AM, Vincent Godin wrote:
>
>         If you install Openstack using ipv4 but without disabling ipv6 (like
>         almost all distrib) a VM in any tenant is able to connect to every
>         daemon listening in ipv6 on the compute (ssh, libvirt and  ...). This is
>         du to the interfaces in the linux bridge attach to the VM which have
>         ipv6 adresses by default and then are listening like all interfaces of
>         the host. To do this, you just have to configure an ipv6 address on a VM
>         of a tenant.
>         To protect, you can just disable ipv6 or configure all daemon on the
>         compute to listen only on ipv4 adresses
>
>
>     You didn't say which version you are running, but we did address this issue
>     in Liberty, with additional patches in Mitaka.  Most changes have been
>     backported to the stable branches.
>
>     https://bugs.launchpad.net/nova/+bug/1470931
>     https://bugs.launchpad.net/neutron/+bug/1302080
>     https://bugs.launchpad.net/neutron/+bug/1534652
>
>     https://review.openstack.org/#/c/198054/
>     https://review.openstack.org/#/c/241076
>     https://review.openstack.org/#/c/268373/
>     https://review.openstack.org/#/c/275293/
>
>     Those reviews should have links to the changes that were cherry-picked to
>     stable.
>
>     -Brian
>
>





More information about the Openstack mailing list