[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1837339] Re: CIDR's of the form should be an error

Per Tristan's suggestion, the VMT will treat this as a security
hardening opportunity, no advisory needed.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

** Tags added: security

You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.

  CIDR's of the form should be an error

Status in OpenStack Dashboard (Horizon):
Status in neutron:
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:

Bug description:
  The problem is that some users do not understand how CIDRs work, and
  incorrectly use /0 when they are trying to specify a single IP or a
  subnet in an Access Rule.  Unfortunately means the same
  thing as

  The proposed fix is to insist that /0 only be used with and
  the IPv6 equivalent ::/0 when entering or updating Access Rule CIDRs
  in via the dashboard.

  I am labeling this as a security vulnerability since it leads to naive
  users creating instances with ports open to the world when they didn't
  intend to do that.

To manage notifications about this bug go to: