osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes


Reviewed:  https://review.openstack.org/550821
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=404d4d0a50f292b1fd6e916cf80813b260621840
Submitter: Zuul
Branch:    master

commit 404d4d0a50f292b1fd6e916cf80813b260621840
Author: Paul Bourke <paul.bourke at oracle.com>
Date:   Thu Mar 8 12:55:05 2018 +0000

    Use zuul firewall rules in gate
    
    Till now we've been flusing iptables in the gates to allow cross node
    communication in the multi node ceph jobs. This raised security
    concerns, in particular it exposed memcached to the external net.
    
    This patch uses the infra provided role 'multi-node-firewall' in order
    to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey
    for help with this.
    
    Closes-Bug: #1749326
    Change-Id: Iafaf1cf1d9b0227b0f869969d0bd52fbde3791a0


** Changed in: kolla-ansible
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1749326

Title:
  Exploitable services exposed on community test nodes

Status in kolla-ansible:
  Fix Released

Bug description:
  One of the donor service providers for the upstream OpenStack
  Infrastructure CI pool has notified us that their security team's
  periodic vulnerability scans have been identifying systems at random
  within our environment as running open memcached servers. Job
  correlation from these reports indicates each was running one of the
  following:

  kolla-ansible-oraclelinux-binary
  kolla-ansible-oraclelinux-source
  kolla-ansible-oraclelinux-source-ceph

  Please adjust the configuration of your job framework to prevent these
  services from being exposed to the Internet (through iptables ingress
  filters, service ACLs, configuring them to not listen on globally-
  routable interfaces, whatever works). Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions