OpenStack Security Advisory

Missing Diffie-Hellman-Groups

Bug #1938284 reported by Maxim Korezkij on 2021-07-28

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
	neutron	In Progress	Wishlist	Unassigned

Bug Description

The values for the pfs (perfect forward secrecy) when creating an ike or ipsec policy are limited to the Diffie-Hellman-Groups 2,5 and 14.

Strongswan as the default provider supports more than these 3 groups, e.g. group20(ecp384).

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-07-28: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/802714

Changed in neutron:
status:	New → In Progress

Jakub Libosvar (libosvar) on 2021-08-02

Changed in neutron:
importance:	Undecided → Medium
tags:	added: vpnaas

Jakub Libosvar (libosvar) on 2021-08-02

Changed in neutron:
importance:	Medium → Wishlist

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-24: Change abandoned on neutron-vpnaas (master)

Change abandoned by "Maxim Korezkij <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/802714
Reason: Abandon because no time. Feel free to reopen.

Revision history for this message

Enrico Kern (flyersa) wrote on 2023-07-19:

Can we finally implement this patch? Those groups are outdated since years. Clients request to support higher DH groups. Patch is also there, why not implement it?

Enrico Kern (flyersa) on 2023-07-24

information type:

Public → Public Security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2023-07-24:

Note that you've changed the information type of this bug to Public Security, indicating it represents a possible security vulnerability. Since the OpenStack Vulnerability Management Team (VMT) does not officially oversee[*] the neutron-vpnaas deliverable, I'm adding a security advisory task with a Won't Fix status to indicate we're not tracking this for any future advisory publication.

[*] https://security.openstack.org/repos-overseen.html

Changed in ossa:
status:	New → Won't Fix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-19: Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/898828

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-19: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/898830

Revision history for this message

Bodo Petermann (bpetermann) wrote on 2023-10-19:

The patches above add not only the DH groups 15 to 31 but also more choices for encryption algorithm (to support AES CCM and AES GCM modes) and auth algorithms (to support aes-xcbc and aes-cmac).

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.