Security groups fail to be set correctly if incorrect case is used for protocol specification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Russell Bryant | ||
Essex |
Fix Released
|
Medium
|
Russell Bryant | ||
nova (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The high level issue is that if a security group rule is specified with the protocol in uppercase (e.g. TCP instead of tcp) on a system using the IpTablesFirewal
The detail of the issue is as follows (Described from the OSAPI perspective, but the problem also exists on EC2)
When a security group rule is specified with the protocol in upper case it is validated (contrig/
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
…
values[
When the security group refresh is triggered (virt/firewall.py – instance_rules() the protocol check is case sensitive:
if protocol in ['udp', 'tcp']:
if rule.cidr:
Because the protocol doesn’t match ‘udp’ or ‘tcp’ the protocol part of the rule is skipped, leading to an incomplete and invalid iptables command line.
Related branches
- Chuck Short: Pending requested
-
Diff: 56 lines (+14/-4)3 files modifieddebian/changelog (+8/-0)
debian/control (+6/-3)
debian/nova-console.install (+0/-1)
CVE References
Changed in nova: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in nova: | |
importance: | High → Medium |
visibility: | private → public |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in nova (Ubuntu): | |
status: | New → Fix Released |
Changed in nova (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in nova: | |
milestone: | folsom-2 → 2012.2 |
no longer affects: | nova/diablo |
@all I suggest that this is a "Normal" level security bug as per: http:// wiki.openstack. org/Vulnerabili tyManagement
Looks like it should be an easy fix, thoughts?