[Yahoo-eng-team] [Bug 1461054] Re: [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)
** Changed in: neutron/juno
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1461054
Title:
[OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2
agent (CVE-2015-3221)
Status in neutron:
Fix Released
Status in neutron juno series:
Fix Released
Status in neutron kilo series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Bug description:
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs
list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not
allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... -
so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a',
u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is
invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock
"/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s
release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by
"set_members" :: held 0.006s inner
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR
neutron.plugins.openvswitch.agent.ovs_neutron_agent
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF
ports
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call
last):
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py",
line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py",
line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in
setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in
decorated_function
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in
prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups,
security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in
filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
"/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in
_setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port,
INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
[Yahoo-eng-team] [Bug 1461054] Re: [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)
** Changed in: neutron
Status: Fix Committed = Fix Released
** Changed in: neutron
Milestone: None = liberty-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1461054
Title:
[OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2
agent (CVE-2015-3221)
Status in neutron:
Fix Released
Status in neutron juno series:
Fix Committed
Status in neutron kilo series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Bug description:
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs
list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not
allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... -
so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a',
u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is
invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock
/opt/stack/data/neutron/lock/neutron-ipset after holding it for 0.006s
release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock ipset released by
set_members :: held 0.006s inner
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR
neutron.plugins.openvswitch.agent.ovs_neutron_agent
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF
ports
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call
last):
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py,
line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py,
line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/securitygroups_rpc.py, line 302, in
setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/securitygroups_rpc.py, line 159, in
decorated_function
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/securitygroups_rpc.py, line 185, in
prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups,
security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/usr/lib/python2.7/contextlib.py, line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/firewall.py, line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py, line 671, in
filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py, line 155, in
_setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port,
INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE
[Yahoo-eng-team] [Bug 1461054] Re: [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221)
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1461054
Title:
[OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2
agent (CVE-2015-3221)
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in neutron juno series:
Fix Committed
Status in neutron kilo series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs
list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not
allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... -
so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a',
u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is
invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock
/opt/stack/data/neutron/lock/neutron-ipset after holding it for 0.006s
release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock ipset released by
set_members :: held 0.006s inner
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR
neutron.plugins.openvswitch.agent.ovs_neutron_agent
[req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF
ports
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call
last):
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py,
line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py,
line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/securitygroups_rpc.py, line 302, in
setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent
self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/securitygroups_rpc.py, line 159, in
decorated_function
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/securitygroups_rpc.py, line 185, in
prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups,
security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/usr/lib/python2.7/contextlib.py, line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE
neutron.plugins.openvswitch.agent.ovs_neutron_agent File
/opt/stack/neutron/neutron/agent/firewall.py, line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE
