Comment 43 for bug 1813007

Revision history for this message
Gage Hugo (gagehugo) wrote : Re: [SRU] Unable to install new flows on compute nodes when having broken security group rules

Here's an OSSA impact statement draft. If any of this information is incorrect, please feel free to correct me and I will revise.

Title: Overlapping security group rules prevents compute node network conf
iguration
Reporter: Diko Parvanov (Canonical)
Products: Neutron
Affects: <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3

Description: Diko Parvanov (Canonical) reported a vulnerability in neutron-openvswitch-agent security group rules. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent neutron from being able to configure networks on any compute nodes where those security groups are present. All neutron deployments utilizing neutron-openvswitch-agent are affected.