[
https://issues.apache.org/jira/browse/CLOUDSTACK-5263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Nalley updated CLOUDSTACK-5263:
-------------------------------------
Security: Public (was: Non-Public)
> Virtual router stop/start modifies firewall rules allowing additional access
> ----------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5263
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5263
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.1.1
> Reporter: John Kinsella
> Assignee: Jayapal Reddy
> Priority: Critical
> Labels: security
> Fix For: 4.2.1, 4.3.0
>
> Attachments:
> 0001-Fix-issue-with-sourceCidr-not-being-passed-to-the-VR.patch
>
>
> Say a user created a firewall rule to allow all access to port 22 from
> 172.16.40.0/24 it would be correctly processed by the VRouter and stored in
> the database. If the Vrouter instance would be stopped and started, the
> source cidr (172.16.40.0/24) would become null and consequently set to
> 0.0.0.0/0. Allowing free access to this port from the internet when the
> router finished restarting. Changing a rule on the firewall would send the
> correct information again including the sourceCids until the next stop start.
> This behavior was observed in version 4.1.1 and confirmed to still exist in
> the current master build.
> Considering that a stop/start of the router vms is part of our standard
> upgrade procedure, this is a serious issue.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
