Date: Mon, 18 Mar 2019 15:47:23 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: [OSSA-2019-001] Unsupported dport option prevents applying security groups in OpenStack Neutron (CVE-2019-9735) ========================================================================= OSSA-2019-001: Unsupported dport option prevents applying security groups ========================================================================= :Date: March 13, 2019 :CVE: CVE-2019-9735 Affects ~~~~~~~ - Neutron: <10.0.8, >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3 Description ~~~~~~~~~~~ Erik Olof Gunnar Andersson with Blizzard Entertainment reported a vulnerability in Neutron's iptables firewall module. By setting a destination port in a security group rule along with a protocol which doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. Only deployments using the iptables security group driver are affected. Patches ~~~~~~~ - https://review.openstack.org/640791 (Ocata) - https://review.openstack.org/640790 (Pike) - https://review.openstack.org/640702 (Queens) - https://review.openstack.org/640685 (Rocky) - https://review.openstack.org/640619 (Stein) Credits ~~~~~~~ - Erik Olof Gunnar Andersson from Blizzard Entertainment (CVE-2019-9735) References ~~~~~~~~~~ - https://launchpad.net/bugs/1818385 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735 -- Jeremy Stanley Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.