Bugzilla – Bug 1153304
VUL-0: CVE-2019-17134: openstack-octavia: Octavia Amphora-Agent not requiring Client-Certificate
Last modified: 2024-05-06 12:36:22 UTC
Received via oss ===================================================================== OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate ===================================================================== :Date: October 07, 2019 :CVE: CVE-2019-17134 Affects ~~~~~~~ - Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 Description ~~~~~~~~~~~ Daniel Preussker reported a vulnerability in amphora-agent, running within Octavia Amphora Instances which allows unauthenticated access from the management network. This leads to information disclosure and also allows changes to the configuration of the Amphora via simple HTTP requests because cmd/agent.py gunicorn cert_reqs option is incorrectly set to True instead of ssl.CERT_REQUIRED. Patches ~~~~~~~ - https://review.opendev.org/686547 (Ocata) - https://review.opendev.org/686546 (Pike) - https://review.opendev.org/686545 (Queens) - https://review.opendev.org/686544 (Rocky) - https://review.opendev.org/686543 (Stein) - https://review.opendev.org/686541 (Train) Credits ~~~~~~~ - Daniel Preussker (CVE-2019-17134) References ~~~~~~~~~~ - https://storyboard.openstack.org/#!/story/2006660 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134 Notes ~~~~~ - The stable/ocata and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.
Tracked as affected the following codestreams: SUSE:SLE-12-SP3:Update:Products:Cloud8:Update SUSE:SLE-12-SP4:Update:Products:Cloud9:Update Cloud 7 is not affected since the ssl.CERT_REQUIRED is used opposed to Cloud 8 and 9
SUSE-SU-2019:3068-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1153304,1155942,1156525 CVE References: CVE-2019-17134,CVE-2019-18874 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1, crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1, crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1 SUSE OpenStack Cloud 9 (src): ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1, ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1, ardana-neutron-9.0+git.1572019823.6650494-3.16.1, ardana-nova-9.0+git.1572618171.4460843-3.13.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1, venv-openstack-barbican-7.0.1~dev21-3.13.1, venv-openstack-cinder-13.0.8~dev8-3.13.1, venv-openstack-designate-7.0.1~dev22-3.13.1, venv-openstack-heat-11.0.3~dev23-3.13.1, venv-openstack-keystone-14.1.1~dev28-3.13.1, venv-openstack-magnum-7.1.1~dev28-4.13.1, venv-openstack-manila-7.3.1~dev15-3.13.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.13.1, venv-openstack-neutron-13.0.6~dev8-6.13.1, venv-openstack-nova-18.2.4~dev22-3.13.1, venv-openstack-octavia-3.2.1~dev3-4.13.1, venv-openstack-sahara-9.0.2~dev14-3.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.