[CLOUDSTACK-5263] Virtual router stop/start modifies firewall rules allowing additional access - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 4.1.1
Fix Version/s: 4.2.1, 4.3.0
Component/s: Virtual Router
Security Level: Public (Anyone can view this level - this is the default.)
Labels:
- security

Description

Say a user created a firewall rule to allow all access to port 22 from 172.16.40.0/24 it would be correctly processed by the VRouter and stored in the database. If the Vrouter instance would be stopped and started, the source cidr (172.16.40.0/24) would become null and consequently set to 0.0.0.0/0. Allowing free access to this port from the internet when the router finished restarting. Changing a rule on the firewall would send the correct information again including the sourceCids until the next stop start.

This behavior was observed in version 4.1.1 and confirmed to still exist in the current master build.

Considering that a stop/start of the router vms is part of our standard upgrade procedure, this is a serious issue.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-Fix-issue-with-sourceCidr-not-being-passed-to-the-VR.patch
25/Nov/13 22:27
4 kB
Hugo Trippaers

Activity

People

Assignee:: Jayapal

Reporter:: John Kinsella

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/Nov/13 22:12

Updated:: 10/Jan/14 05:30

Resolved:: 23/Dec/13 05:02