Headline
CVE-2015-7713: Bug #1491307 “[OSSA 2015-021] secgroup rules doesn't work for in...” : Bugs : OpenStack Compute (nova)
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.
I have an OpenStack kilo setup on RHEL7.1 with a controller and a compute node (network-compute + network-network),the config is following:
# /etc/nova.nova.conf on contrller node
[DEFAULT]
network_api_class = nova.network.api.API
security_group_api = nova
# /etc/nova/nova.conf on compute node
[DEFAULT]
network_api_class = nova.network.api.API
security_group_api = nova
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
network_manager = nova.network.manager.FlatDHCPManager
network_size = 254
allow_same_net_traffic = False
multi_host = True
send_arp_for_ha = True
share_dhcp_address = True
force_dhcp_release = True
flat_network_bridge = br100
flat_interface = eth0
public_interface = eth0
steps for test 1:
- create and start VM instance-1 with secgroup default;
- VM instance-1 ping br100: OK;
- br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
- nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
- br100 ping VM instance-1: i got the same wrong message, not expected.
steps for test 2:
- nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
- create and start VM instance-2 with secgroup default;
- br100 ping instance-2: OK
It seems that command “nova secgroup-add-rule …” doesn’t work immediately for the existed or running VM instances?