An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesnt support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which its applied. (Only deployments using the iptables security group driver are affected.)
The product does not handle or incorrectly handles an exceptional condition.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Neutron | Openstack | * | 10.0.8 (excluding) |
| Neutron | Openstack | 11.0.0 (including) | 11.0.7 (excluding) |
| Neutron | Openstack | 12.0.0 (including) | 12.0.6 (excluding) |
| Neutron | Openstack | 13.0.0 (including) | 13.0.3 (excluding) |
| Red Hat OpenStack Platform 10.0 (Newton) | RedHat | openstack-neutron-1:9.4.1-40.el7ost | * |
| Red Hat OpenStack Platform 10.0 (Newton) | RedHat | openstack-neutron-lbaas-1:9.2.2-8.el7ost | * |
| Red Hat OpenStack Platform 10.0 (Newton) | RedHat | python-networking-bigswitch-2:9.42.14-1.el7ost | * |
| Red Hat OpenStack Platform 13.0 (Queens) | RedHat | openstack-neutron-1:12.0.5-11.el7ost | * |
| Red Hat OpenStack Platform 14.0 (Rocky) | RedHat | openstack-neutron-1:13.0.3-0.20190313155649.00b63be.el7ost | * |
| Neutron | Ubuntu | bionic | * |
| Neutron | Ubuntu | cosmic | * |
| Neutron | Ubuntu | esm-infra/bionic | * |
| Neutron | Ubuntu | esm-infra/xenial | * |
| Neutron | Ubuntu | trusty | * |
| Neutron | Ubuntu | upstream | * |
| Neutron | Ubuntu | xenial | * |