CIDR's of the form 12.34.56.78/0 should be an error
Bug #1837339 reported by
Stephen Crawley
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Confirmed
|
Low
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
New
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The problem is that some users do not understand how CIDRs work, and incorrectly use /0 when they are trying to specify a single IP or a subnet in an Access Rule. Unfortunately 12.34.56.78/0 means the same thing as 0.0.0.0/0.
The proposed fix is to insist that /0 only be used with 0.0.0.0/0 and the IPv6 equivalent ::/0 when entering or updating Access Rule CIDRs in via the dashboard.
I am labeling this as a security vulnerability since it leads to naive users creating instances with ports open to the world when they didn't intend to do that.
Changed in horizon: | |
status: | New → Confirmed |
importance: | Undecided → Low |
tags: | added: ne |
tags: |
added: neutron ux removed: ne |
To post a comment you must log in.
Since this definitely will benefit from a broader discussion and there's no benefit to keeping the report private, I've switched it to public security for now.
I feel like this doesn't actually describe a vulnerability which would get fixes backported to old releases, but rather a security hardening opportunity for upcoming releases. Regardless, it's worth getting additional input from whichever folks are going to be designing the solution to this.