Bug 864183 (CVE-2014-0592) - VUL-0: CVE-2014-0592: crowbar-barclamp-network: SUSE Cloud 3 doesn't enforce security groups
Summary: VUL-0: CVE-2014-0592: crowbar-barclamp-network: SUSE Cloud 3 doesn't enforce ...
Status: RESOLVED FIXED
Alias: CVE-2014-0592
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:56284:important maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-16 07:34 UTC by Vincent Untz
Modified: 2014-03-26 23:04 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Untz 2014-02-16 07:34:11 UTC 
While analyzing bug 863751 (CVE-2014-0071), I found out that we do not enforce security groups in SUSE Cloud 3. This is actually not related to the CVE of this bug, but because of a bug where we disabled netfilter on bridges for wrong reasons.

The fix is: https://github.com/crowbar/barclamp-network/pull/269

The impact is that instances started in SUSE Cloud 3 are not protected through the firewall of OpenStack networking, and if they have a floating IP, they're reachable from the outside. This is mitigated by the fact that, usually, instances don't have a lot of services running and opening ports, and by the fact that instances don't automatically get a floating IP.
Comment 2 Marcus Meissner 2014-02-17 07:17:59 UTC 
Is this a SUSE code specific, or general openstack specific issue?
Comment 3 Vincent Untz 2014-02-17 07:49:07 UTC 
Yes, it's SUSE-specific.
Comment 4 Marcus Meissner 2014-02-17 10:08:42 UTC 
Use CVE-2014-0592
Comment 5 Swamp Workflow Management 2014-02-17 23:00:12 UTC 
bugbot adjusting priority
Comment 6 SMASH SMASH 2014-02-19 08:55:12 UTC 
Affected packages:

SLE-11-SP3-PRODUCTS: openstack-neutron
Comment 7 Vincent Untz 2014-02-19 21:19:17 UTC 
Submitted sr#33186.
Comment 16 Marcus Meissner 2014-03-26 13:57:33 UTC 
released, and made bug public
Comment 17 Swamp Workflow Management 2014-03-26 19:46:03 UTC 
Update released for: crowbar-barclamp-network
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 18 Swamp Workflow Management 2014-03-26 23:04:20 UTC 
SUSE-SU-2014:0452-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 864183
CVE References: CVE-2014-0592
Sources used:
SUSE Cloud 3 (src):    crowbar-barclamp-network-1.7+git.1392820032.ebfa91f-0.7.2