[openstack-announce] [OSSA-2019-005] Octavia Amphora-Agent not requiring Client-Certificate (CVE-2019-17134)

Daniel 'f0o' Preussker daniel at preussker.net
Tue Oct 8 09:23:06 UTC 2019


=====================================================================
OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate
=====================================================================

:Date: October 07, 2019
:CVE: CVE-2019-17134


Affects
~~~~~~~
- Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0


Description
~~~~~~~~~~~
Daniel Preussker reported a vulnerability in amphora-agent, running
within Octavia Amphora Instances which allows unauthenticated access
from the management network. This leads to information disclosure and
also allows changes to the configuration of the Amphora via simple
HTTP requests because cmd/agent.py gunicorn cert_reqs option is
incorrectly set to True instead of ssl.CERT_REQUIRED.


Patches
~~~~~~~
- https://review.opendev.org/686547 (Ocata)
- https://review.opendev.org/686546 (Pike)
- https://review.opendev.org/686545 (Queens)
- https://review.opendev.org/686544 (Rocky)
- https://review.opendev.org/686543 (Stein)
- https://review.opendev.org/686541 (Train)


Credits
~~~~~~~
- Daniel Preussker (CVE-2019-17134)


References
~~~~~~~~~~
- https://storyboard.openstack.org/#!/story/2006660
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134


Notes
~~~~~
- The stable/ocata and stable/pike branches are under extended maintenance and
  will receive no new point releases, but patches for them are provided as a
  courtesy.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20191008/0a6d4039/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20191008/0a6d4039/attachment.sig>


More information about the OpenStack-announce mailing list