[Bug 1749667] Re: neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols

Edward Hope-Morley edward.hope-morley at canonical.com
Tue Nov 27 14:19:37 UTC 2018 

** Description changed:

+ [Impact]
+ Neutron allowed users to create security group rules that would translate to invalid iptables rules thus causing neutron to fail when it attempted to apply them. This is now fixed for >= Pike and we are backporting for Ocata.
+ 
+ [Test Case]
+   * deploy openstack ocata
+   * create an invalid security group rule e.g.
+ 
+ openstack security group rule create --protocol gre --dst-port 0:255
+ jmclane
+ 
+   * check that request is rejected with e.g.
+ 
+ Error while executing command: BadRequestException: Unknown error, {"NeutronError": {"message": "Invalid protocol 47 for port range, only supported for TCP, UDP, UDPLITE│·········································································································
+ , SCTP and DCCP.", "type": "SecurityGroupInvalidProtocolForPortRange", "detail": ""}}
+ 
+ [Regression Potential] 
+ Upgrading to this patch will reject new api requests that try to create invalid rules but will not cleanup invalid rules already extant.
+  
+ -----------------------------------------------------------------------------
+ 
  We have had problems with openvswitch agent continuously restarting and
  never actually completing setup because of this:
  
  # Completed by iptables_manager
  ; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
  Error occurred at line: 83
  Try `iptables-restore -h' or 'iptables-restore --help' for more information.
  
-     83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
+     83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
  ---
  
  Someone has managed to inject a rule that is, effectively, a DoS.

** Summary changed:

- neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols
+ [SRU] neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols

** Tags added: sts sts-sru-needed

** Patch added: "lp1749667-xenial-ocata.debdiff"
   https://bugs.launchpad.net/cloud-archive/+bug/1749667/+attachment/5216782/+files/lp1749667-xenial-ocata.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1749667

Title:
  [SRU] neutron doesn't correctly handle unknown protocols and should
  whitelist known and handled protocols

Status in Ubuntu Cloud Archive:
  Fix Released
Status in neutron:
  Fix Released

Bug description:
  [Impact]
  Neutron allowed users to create security group rules that would translate to invalid iptables rules thus causing neutron to fail when it attempted to apply them. This is now fixed for >= Pike and we are backporting for Ocata.

  [Test Case]
    * deploy openstack ocata
    * create an invalid security group rule e.g.

  openstack security group rule create --protocol gre --dst-port 0:255
  jmclane

    * check that request is rejected with e.g.

  Error while executing command: BadRequestException: Unknown error, {"NeutronError": {"message": "Invalid protocol 47 for port range, only supported for TCP, UDP, UDPLITE│·········································································································
  , SCTP and DCCP.", "type": "SecurityGroupInvalidProtocolForPortRange", "detail": ""}}

  [Regression Potential] 
  Upgrading to this patch will reject new api requests that try to create invalid rules but will not cleanup invalid rules already extant.
   
  -----------------------------------------------------------------------------

  We have had problems with openvswitch agent continuously restarting
  and never actually completing setup because of this:

  # Completed by iptables_manager
  ; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
  Error occurred at line: 83
  Try `iptables-restore -h' or 'iptables-restore --help' for more information.

      83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
  ---

  Someone has managed to inject a rule that is, effectively, a DoS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1749667/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list