{ "threat_severity" : "Important", "public_date" : "2017-08-08T00:00:00Z", "bugzilla" : { "description" : "openstack-neutron: iptables not active after update", "id" : "1473792", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1473792" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-362", "details" : [ "A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.", "A race-condition flaw was discovered in openstack-neutron where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources." ], "acknowledgement" : "This issue was discovered by Paul Needle (Red Hat).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7", "release_date" : "2017-08-08T00:00:00Z", "advisory" : "RHSA-2017:2452", "cpe" : "cpe:/a:redhat:openstack:6::el7", "package" : "openstack-neutron-0:2014.2.3-42.el7ost" }, { "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7", "release_date" : "2017-08-08T00:00:00Z", "advisory" : "RHSA-2017:2450", "cpe" : "cpe:/a:redhat:openstack:7::el7", "package" : "openstack-neutron-0:2015.1.4-16.1.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 10.0 (Newton)", "release_date" : "2017-08-08T00:00:00Z", "advisory" : "RHSA-2017:2448", "cpe" : "cpe:/a:redhat:openstack:10::el7", "package" : "openstack-neutron-1:9.3.1-2.1.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 11.0 (Ocata)", "release_date" : "2017-08-08T00:00:00Z", "advisory" : "RHSA-2017:2449", "cpe" : "cpe:/a:redhat:openstack:11::el7", "package" : "openstack-neutron-1:10.0.2-1.1.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 8.0 (Liberty)", "release_date" : "2017-08-08T00:00:00Z", "advisory" : "RHSA-2017:2451", "cpe" : "cpe:/a:redhat:openstack:8::el7", "package" : "openstack-neutron-1:7.2.0-12.1.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 9.0 (Mitaka)", "release_date" : "2017-08-08T00:00:00Z", "advisory" : "RHSA-2017:2447", "cpe" : "cpe:/a:redhat:openstack:9::el7", "package" : "openstack-neutron-1:8.3.0-11.1.el7ost" } ], "package_state" : [ { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Not affected", "package_name" : "openstack-neutron", "cpe" : "cpe:/a:redhat:openstack:12" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-7543\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7543" ], "name" : "CVE-2017-7543", "mitigation" : { "value" : "To determine whether your system is impacted, run:\n$ sudo sysctl net.bridge.bridge-nf-call-ip6tables \n$ sudo sysctl net.bridge.bridge-nf-call-iptables\nBoth should be set to 1\nTo reset security groups to '1':\n1. Apply the following configuration modification:\n$ sudo sed -i.back -e 's/reapply_sysctl = 0/reapply_sysctl = 1/' /etc/tuned/tuned-main.conf\n2. Ensure the modification was successful:\n$ grep reapply_sysctl /etc/tuned/tuned-main.conf\nshould be \"reapply_sysctl = 1\"\n3. Check whether tuned is running:\n$ sudo systemctl status tuned\n4. Restart tuned to apply the new configuration:\n$ sudo systemctl restart tuned\n5. Recheck your security groups and the status of 'reapply_sysctl'.", "lang" : "en:us" }, "csaw" : false }