CloudStack
  1. CloudStack
  2. CLOUDSTACK-5263

Virtual router stop/start modifies firewall rules allowing additional access

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.2.1, 4.3.0
    • Component/s: Virtual Router
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Labels:

      Description

      Say a user created a firewall rule to allow all access to port 22 from 172.16.40.0/24 it would be correctly processed by the VRouter and stored in the database. If the Vrouter instance would be stopped and started, the source cidr (172.16.40.0/24) would become null and consequently set to 0.0.0.0/0. Allowing free access to this port from the internet when the router finished restarting. Changing a rule on the firewall would send the correct information again including the sourceCids until the next stop start.

      This behavior was observed in version 4.1.1 and confirmed to still exist in the current master build.

      Considering that a stop/start of the router vms is part of our standard upgrade procedure, this is a serious issue.

        Activity

        Hide
        John Kinsella added a comment - - edited
        CVSS Score 5.0: AV:N/AC:L/Au:N/C:P/I:N/A:N
        
        Show
        John Kinsella added a comment - - edited CVSS Score 5.0: AV:N/AC:L/Au:N/C:P/I:N/A:N
        Hide
        John Kinsella added a comment -

        Credit:
        Reported by the Cloud team at Schuberg Philis

        NIST's CVSS calculator is down...once it's back up I'll add a score.

        Show
        John Kinsella added a comment - Credit: Reported by the Cloud team at Schuberg Philis NIST's CVSS calculator is down...once it's back up I'll add a score.
        Hide
        Hugo Trippaers added a comment -

        The patch file to fix this issue.

        There are a few cleanups on the patch as well. Only the _rulesDao.loadSourceCidrs((FirewallRuleVO)rule); is relevant to this issue.

        Show
        Hugo Trippaers added a comment - The patch file to fix this issue. There are a few cleanups on the patch as well. Only the _rulesDao.loadSourceCidrs((FirewallRuleVO)rule); is relevant to this issue.

          People

          • Assignee:
            Jayapal Reddy
            Reporter:
            John Kinsella
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development