neutron: CVE-2019-10876: Unable to install new flows on compute nodes when having broken security group rules

Debian Bug report logs - #926502
neutron: CVE-2019-10876: Unable to install new flows on compute nodes when having broken security group rules

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: neutron: CVE-2019-10876: Unable to install new flows on compute nodes when having broken security group rules

Date: Sat, 06 Apr 2019 09:49:50 +0200

Source: neutron
Version: 2:13.0.2-14
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.launchpad.net/ossa/+bug/1813007

Hi,

The following vulnerability was published for neutron.

CVE-2019-10876[0]:
| An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x
| before 12.0.6, and 13.x before 13.0.3. By creating two security groups
| with separate/overlapping port ranges, an authenticated user may
| prevent Neutron from being able to configure networks on any compute
| nodes where those security groups are present, because of an Open
| vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing
| neutron-openvswitch-agent are affected.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10876
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876
[1] https://bugs.launchpad.net/ossa/+bug/1813007

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 926502-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 926502-submitter@bugs.debian.org

Subject: Bug #926502 in neutron marked as pending

Date: Sat, 06 Apr 2019 21:29:19 +0000

Control: tag -1 pending

Hello,

Bug #926502 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/neutron/commit/4a17016279a56aab888b6807c67f0b10b66f7d0a

------------------------------------------------------------------------
* CVE-2019-10876: By creating two security groups with separate/overlapping
    port ranges, an authenticated user may prevent Neutron from being able to
    configure networks on any compute nodes where those security groups are
    present, because of an Open vSwitch (OVS) firewall KeyError. Applied
    upstream patch: Fix KeyError in OVS firewall (Closes: #926502).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926502

Message #15 received at 926502@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 926502@bugs.debian.org

Subject: Re: Bug#926502: neutron: CVE-2019-10876: Unable to install new flows on compute nodes when having broken security group rules

Date: Sat, 6 Apr 2019 23:46:17 +0200

On 4/6/19 9:49 AM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:13.0.2-14
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://bugs.launchpad.net/ossa/+bug/1813007
> 
> Hi,
> 
> The following vulnerability was published for neutron.
> 
> CVE-2019-10876[0]:
> | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x
> | before 12.0.6, and 13.x before 13.0.3. By creating two security groups
> | with separate/overlapping port ranges, an authenticated user may
> | prevent Neutron from being able to configure networks on any compute
> | nodes where those security groups are present, because of an Open
> | vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing
> | neutron-openvswitch-agent are affected.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-10876
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876
> [1] https://bugs.launchpad.net/ossa/+bug/1813007
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore

Hi Salvatore,

I had a look at the code, and it changed a lot since the version in
Stretch, which doesn't seem to have the issue.

Moreover, if you read closely
https://bugs.launchpad.net/ossa/+bug/1813007, and especially comment
#48, it looks like this issue is only there since OpenStack Pike. The
version of OpenStack that is in Stretch is Newton (so, one year before
that). Therefore, Stretch (and before) isn't affected. Please update the
security tracker.

I have uploaded a fix for Rocky (currently in Sid/Buster), and will ask
for the unblock on Monday.

Cheers,

Thomas Goirand (zigo)

Message #20 received at 926502-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 926502-close@bugs.debian.org

Subject: Bug#926502: fixed in neutron 2:13.0.2-15

Date: Sat, 06 Apr 2019 21:49:23 +0000

Source: neutron
Source-Version: 2:13.0.2-15

We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926502@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 06 Apr 2019 23:01:34 +0200
Source: neutron
Binary: neutron-api neutron-common neutron-dhcp-agent neutron-l3-agent neutron-linuxbridge-agent neutron-macvtap-agent neutron-metadata-agent neutron-metering-agent neutron-openvswitch-agent neutron-plugin-nec-agent neutron-rpc-server neutron-server neutron-sriov-agent python3-neutron
Architecture: source all
Version: 2:13.0.2-15
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 neutron-api - OpenStack virtual network service - API service
 neutron-common - OpenStack virtual network service - common files
 neutron-dhcp-agent - OpenStack virtual network service - DHCP agent
 neutron-l3-agent - OpenStack virtual network service - l3 agent
 neutron-linuxbridge-agent - OpenStack virtual network service - Linux bridge agent
 neutron-macvtap-agent - OpenStack virtual network service - MacVTap Agent
 neutron-metadata-agent - OpenStack virtual network service - metadata agent
 neutron-metering-agent - OpenStack virtual network service - metering agent
 neutron-openvswitch-agent - OpenStack virtual network service - Open vSwitch agent
 neutron-plugin-nec-agent - OpenStack virtual network service - NEC agent
 neutron-rpc-server - OpenStack virtual network service - RPC service
 neutron-server - OpenStack virtual network service - metapackage for the server
 neutron-sriov-agent - OpenStack virtual network service - SR-IOV agent
 python3-neutron - OpenStack virtual network service - Python library
Closes: 926502
Changes:
 neutron (2:13.0.2-15) unstable; urgency=high
 .
   * Do not set external_network_bridge=br-ex by default in l3_agent.ini:
     1/ this is deprecated upstream, and 2/ this prevent from setting-up
     multiple external networks.
   * CVE-2019-10876: By creating two security groups with separate/overlapping
     port ranges, an authenticated user may prevent Neutron from being able to
     configure networks on any compute nodes where those security groups are
     present, because of an Open vSwitch (OVS) firewall KeyError. Applied
     upstream patch: Fix KeyError in OVS firewall (Closes: #926502).
Checksums-Sha1:
 2243ce52dd3d1589262af8529449498887f6d63e 5044 neutron_13.0.2-15.dsc
 ce8d8acc483c2c257584ea9579258d96b6643d5e 39392 neutron_13.0.2-15.debian.tar.xz
 8e1cb8b206a5e412448c2ba27f63c04b38489e20 27008 neutron-api_13.0.2-15_all.deb
 e006d45f5c9369a3091592c7be5fe602be615a19 62952 neutron-common_13.0.2-15_all.deb
 6b552259ca5ee88d578c48ac90540304e776f04f 24904 neutron-dhcp-agent_13.0.2-15_all.deb
 00d33a2e310657048b2959c5b7852b360aa00d22 15168 neutron-l3-agent_13.0.2-15_all.deb
 3ee922e5b79c5b8a70ee8bac44b1ecf83ed6f310 18796 neutron-linuxbridge-agent_13.0.2-15_all.deb
 4237236da5ec6a16e1c704e169481b2de6eeb434 17356 neutron-macvtap-agent_13.0.2-15_all.deb
 219e618b65da8b9bd010e9c49e56827149e6feab 26972 neutron-metadata-agent_13.0.2-15_all.deb
 9633ac8ff1c7cfce295f9ead287d27d11a711790 17588 neutron-metering-agent_13.0.2-15_all.deb
 22e10f1c39cab668db79548b4c3d0defa8b767f7 25660 neutron-openvswitch-agent_13.0.2-15_all.deb
 740b460bfd68d8b8a152cecc6d6415c81a4a5586 12400 neutron-plugin-nec-agent_13.0.2-15_all.deb
 ab57ea6c22754ebb3ce52fcdb0172a6b8e4e607f 15448 neutron-rpc-server_13.0.2-15_all.deb
 b6a8fcd8fc38b92af285b5590e1ed0473d8d6e0f 12356 neutron-server_13.0.2-15_all.deb
 1ed7df7c10a315b7fcf5f57e48d1a71f6aa8605a 15096 neutron-sriov-agent_13.0.2-15_all.deb
 42d3cff9bb046bd257b962ed9203d2dc4247d7b4 18604 neutron_13.0.2-15_amd64.buildinfo
 57d36efed0c8b8f9a0219ec5575052deb8ae2abc 1519556 python3-neutron_13.0.2-15_all.deb
Checksums-Sha256:
 f9b47c9a49735c6a3b3e7e0db267b9f6c1d67b91da6831830e2143e5e5371aba 5044 neutron_13.0.2-15.dsc
 8b154fd8527bdcfa46b88a80d605e3181de786b403af4a3067c53a04761395a1 39392 neutron_13.0.2-15.debian.tar.xz
 73ba6d1682949d0adf40e8e24f46f8adc2d206f3f25a6bab6a7787e1a29f7eab 27008 neutron-api_13.0.2-15_all.deb
 3b436d81ba5713eba41e5faa5d029d5a238d19b5b9c88fb78291fef985adb06c 62952 neutron-common_13.0.2-15_all.deb
 276c1c9d819a3e8f6a6fa5414b221fca834e562dc1c48b39e4837939c877d881 24904 neutron-dhcp-agent_13.0.2-15_all.deb
 b58e1be54cece48abc616b67f24d5c8eb9db23a127c8611b7adfd239ae6129c2 15168 neutron-l3-agent_13.0.2-15_all.deb
 d974feaab9d8dd6dca49f05cd414b096c334a89ddebdf1ce332d0ac79971e3d0 18796 neutron-linuxbridge-agent_13.0.2-15_all.deb
 974e3372bba9e4c11774108876a7029ad900e97a36f75798adca721299535b50 17356 neutron-macvtap-agent_13.0.2-15_all.deb
 9198955a0926d3b7d5595076589ce5607bbb00235d270596e700d221ecbe4161 26972 neutron-metadata-agent_13.0.2-15_all.deb
 8bb61a78b41d76d0cbd03b43f5a86483ba421a57e81ec0457827c6567d2f782f 17588 neutron-metering-agent_13.0.2-15_all.deb
 fcd232e7826a11686aed46ddb06e1a8334fb56eba1ac3448fa45a491a7ce2843 25660 neutron-openvswitch-agent_13.0.2-15_all.deb
 9f5c4c80f91009076cced1b7e20bb9b7a4baa00e148c64c02a2342fa562ab6c5 12400 neutron-plugin-nec-agent_13.0.2-15_all.deb
 28024e744c98a5a8e6a0c166cf651b296f9f934bec2df5735230209684bd8e15 15448 neutron-rpc-server_13.0.2-15_all.deb
 77418d7ddfeff9843e6b37b479a084ed9bdadb950ed6e1b5547d4a1184bf1f9d 12356 neutron-server_13.0.2-15_all.deb
 cb6467625c61ff88a3afc6b84b2f2bc508d519bc321ef558c755964007c9532e 15096 neutron-sriov-agent_13.0.2-15_all.deb
 ee52f1e5353bd9c815abf89b36c92a67af2847ebd19e1dffbf7598665110a570 18604 neutron_13.0.2-15_amd64.buildinfo
 a52e1031d6ba7d8fa0bfc107910483cc30279ab99586f2ae358b216b38f3da47 1519556 python3-neutron_13.0.2-15_all.deb
Files:
 dedba766b1164fc857af51fa8948cc06 5044 net optional neutron_13.0.2-15.dsc
 875fca9351b015a79b208b5fd878ab5f 39392 net optional neutron_13.0.2-15.debian.tar.xz
 ba23c822bbbac1a89d381e2c8b250b6b 27008 net optional neutron-api_13.0.2-15_all.deb
 b2f269e28c6b724b4d4218a20d5ada4b 62952 net optional neutron-common_13.0.2-15_all.deb
 3c9f7ddd274b48d7a0bd78f60f6b3d43 24904 net optional neutron-dhcp-agent_13.0.2-15_all.deb
 bce8fc8e32acd7cc3300508acbc41407 15168 net optional neutron-l3-agent_13.0.2-15_all.deb
 74efbfd35651ebcd3b7b3f56949ce076 18796 net optional neutron-linuxbridge-agent_13.0.2-15_all.deb
 93e612e7afdeb4db6552c226ea4f44ec 17356 net optional neutron-macvtap-agent_13.0.2-15_all.deb
 75370cd7cce249dc45af389a11f99cb8 26972 net optional neutron-metadata-agent_13.0.2-15_all.deb
 51b89619cd8f93b7f2ab70090f73ce70 17588 net optional neutron-metering-agent_13.0.2-15_all.deb
 bd9a043043a2b01c7865fccbdf486c32 25660 net optional neutron-openvswitch-agent_13.0.2-15_all.deb
 fcab4e049de74861139eb59d85ab6e4e 12400 net optional neutron-plugin-nec-agent_13.0.2-15_all.deb
 0758e40b3ae30ee2f351caedbb080dc4 15448 net optional neutron-rpc-server_13.0.2-15_all.deb
 61d241678d886fff3bfec45ba2483e59 12356 net optional neutron-server_13.0.2-15_all.deb
 a10f608a5e05458dcf3d1bcfc310d5f5 15096 net optional neutron-sriov-agent_13.0.2-15_all.deb
 e3e75ef38e5644ba43b7c7a8b315aa64 18604 net optional neutron_13.0.2-15_amd64.buildinfo
 aba3632eebfdbfad9ebf40f4abfab32a 1519556 python optional python3-neutron_13.0.2-15_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlypGekACgkQq1PlA1ho
d6bVjQ//RfKp6FXo6foVpB2L4sfJ+7RFNs7lxaOaTvzfZytEp6ZvejEiz+ZUNQ/1
/OiuFuW/YrUiZh/eEcK7ih0646dv2Jjlmdm4XqizHzdFFTsgOgkLwfYfBSatb53b
BktUbhB7V/o5Dt0Ol+tNHPYRQQAC1sW3SAlT80UzrYv2mLUHuGvbrdLrGcpVrIRk
UKkXsfhFuno8JtvA63lfnjvtbc+lyshSbEqt/47Ny7juhmToEyHhQs4oouF7Byd0
vNfVv7CeBwbKT+m0Cl+ZBGikUoEX/CRDxnBSUiof9Z2Hq9e+yJkSQghpk2xlQIPZ
BqijiupAf6xMaQRuhUXYpMcq0kMFEflhxp7jGoTQarOjxeJ0PkapFMR4e5CNRBUy
KbiswaZulGI7oQQaX2ZLAueYZMcjclzRnK4TtWvdcyJ+i4fKCL7g6ue0oOrsvo4j
y6S5k+dznRKy8WPUdrln8Bw4eWNdIfS4IzeaQBedeKAOLNokhVW+rXVwDhkBycRU
LL8tdcLQ5CwIfo/Xai3FJ8ZsofiqPF+vqsihDeW5NDb6RsY1J2jbMhsHIFUpyvMa
QR0UAxXzmBd/ks5RNB5DvPPsXywPtnNBEbpV6mYgt4QIr4rgyesWEhHen06ZeGMZ
jrAcUiNhIitDILEbryLegRMT1CFlqDDo3jL7rjFXh0wovPAGgPs=
=zXwQ
-----END PGP SIGNATURE-----

Message #25 received at 926502@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>, 926502@bugs.debian.org

Subject: Re: Bug#926502: neutron: CVE-2019-10876: Unable to install new flows on compute nodes when having broken security group rules

Date: Sun, 7 Apr 2019 08:57:31 +0200

Hi Thomas,

On Sat, Apr 06, 2019 at 11:46:17PM +0200, Thomas Goirand wrote:
> On 4/6/19 9:49 AM, Salvatore Bonaccorso wrote:
> > Source: neutron
> > Version: 2:13.0.2-14
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Forwarded: https://bugs.launchpad.net/ossa/+bug/1813007
> > 
> > Hi,
> > 
> > The following vulnerability was published for neutron.
> > 
> > CVE-2019-10876[0]:
> > | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x
> > | before 12.0.6, and 13.x before 13.0.3. By creating two security groups
> > | with separate/overlapping port ranges, an authenticated user may
> > | prevent Neutron from being able to configure networks on any compute
> > | nodes where those security groups are present, because of an Open
> > | vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing
> > | neutron-openvswitch-agent are affected.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-10876
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876
> > [1] https://bugs.launchpad.net/ossa/+bug/1813007
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore,
> 
> I had a look at the code, and it changed a lot since the version in
> Stretch, which doesn't seem to have the issue.
> 
> Moreover, if you read closely
> https://bugs.launchpad.net/ossa/+bug/1813007, and especially comment
> #48, it looks like this issue is only there since OpenStack Pike. The
> version of OpenStack that is in Stretch is Newton (so, one year before
> that). Therefore, Stretch (and before) isn't affected. Please update the
> security tracker.

Thanks for the research. I have made the change to the
security-tracker data[1].

 [1] https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2b65a8593ea7707cdfec20125cec37c672908d1

> I have uploaded a fix for Rocky (currently in Sid/Buster), and will ask
> for the unblock on Monday.

Thank you!

Regards,
Salvatore

Send a report that this bug log contains spam.