[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [OSSA-2019-001] Unsupported dport option prevents applying security groups in OpenSta
From: Jeremy Stanley <fungi () yuggoth ! org>
Date: 2019-03-18 15:47:23
Message-ID: 20190318154723.5tucbpkzibivnczg () yuggoth ! org
[Download RAW message or body]
=========================================================================
OSSA-2019-001: Unsupported dport option prevents applying security groups
=========================================================================
:Date: March 13, 2019
:CVE: CVE-2019-9735
Affects
~~~~~~~
- Neutron: <10.0.8, >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3
Description
~~~~~~~~~~~
Erik Olof Gunnar Andersson with Blizzard Entertainment reported a
vulnerability in Neutron's iptables firewall module. By setting a
destination port in a security group rule along with a protocol which
doesn't support that option (for example, VRRP), an authenticated user
may block further application of security group rules for instances
from any project/tenant on the compute hosts to which it's applied.
Only deployments using the iptables security group driver are
affected.
Patches
~~~~~~~
- https://review.openstack.org/640791 (Ocata)
- https://review.openstack.org/640790 (Pike)
- https://review.openstack.org/640702 (Queens)
- https://review.openstack.org/640685 (Rocky)
- https://review.openstack.org/640619 (Stein)
Credits
~~~~~~~
- Erik Olof Gunnar Andersson from Blizzard Entertainment (CVE-2019-9735)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1818385
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735
--
Jeremy Stanley
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic