Описание
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
A race-condition flaw was discovered in openstack-neutron where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
Меры по смягчению последствий
To determine whether your system is impacted, run: $ sudo sysctl net.bridge.bridge-nf-call-ip6tables $ sudo sysctl net.bridge.bridge-nf-call-iptables Both should be set to 1 To reset security groups to '1':
- Apply the following configuration modification: $ sudo sed -i.back -e 's/reapply_sysctl = 0/reapply_sysctl = 1/' /etc/tuned/tuned-main.conf
- Ensure the modification was successful: $ grep reapply_sysctl /etc/tuned/tuned-main.conf should be "reapply_sysctl = 1"
- Check whether tuned is running: $ sudo systemctl status tuned
- Restart tuned to apply the new configuration: $ sudo systemctl restart tuned
- Recheck your security groups and the status of 'reapply_sysctl'.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenStack Platform 12 (Pike) | openstack-neutron | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | openstack-neutron | Fixed | RHSA-2017:2452 | 08.08.2017 |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | openstack-neutron | Fixed | RHSA-2017:2450 | 08.08.2017 |
| Red Hat OpenStack Platform 10.0 (Newton) | openstack-neutron | Fixed | RHSA-2017:2448 | 08.08.2017 |
| Red Hat OpenStack Platform 11.0 (Ocata) | openstack-neutron | Fixed | RHSA-2017:2449 | 08.08.2017 |
| Red Hat OpenStack Platform 8.0 (Liberty) | openstack-neutron | Fixed | RHSA-2017:2451 | 08.08.2017 |
| Red Hat OpenStack Platform 9.0 (Mitaka) | openstack-neutron | Fixed | RHSA-2017:2447 | 08.08.2017 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
A race-condition flaw was discovered in openstack-neutron before 7.2.0 ...
5.3 Medium
CVSS3