Bugzilla – Bug 863751
VUL-0: CVE-2014-0071: openstack-neutron: Security Groups fail to block network traffic
Last modified: 2016-04-27 19:20:47 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1064163 Yair Fried of Red Hat reports: A regression from Grizzly and Havana exists in Neutron. Specifically when default security groups are enabled they are not enforced, allowing connectivity to systems that should be blocked by the security groups. CVE-2014-0071 was assigned to this issue. References: https://review.openstack.org/#/c/62702/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0071
So the only relevant info I could find on this is in https://bugs.launchpad.net/devstack/+bug/1252620 And the short story is that with OVS, if the hybrid driver is not used, then this is vulnerable. We're using libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver in nova.conf, so I think we're safe. We'd be hit in Cloud 4 with Icehouse, but I assume that by then, upstream will have fixed the security issue. Bernhard, can you double-check my analysis?
bugbot adjusting priority
Affected packages: SLE-11-SP3-PRODUCTS: openstack-neutron
Tested with SUSE Cloud 3 GM + update-test openvswitch and linuxbridge mode that traffic from outside the cloud to the floating IP is filtered by security groups and traffic from another tenant to the nova_fixed IP is filtered, too Just traffic between instances of the same tenant/project are allowed through which is likely intended. So we are not affected by this issue.
The fix has been merged to Icehouse: https://bugs.launchpad.net/nova/+bug/1112912/comments/33
No product is affected and upstream has merged the fix to the Icehouse release, we close as resolved.