Bug 1153304 (CVE-2019-17134)

Summary: VUL-0: CVE-2019-17134: openstack-octavia: Octavia Amphora-Agent not requiring Client-Certificate
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jmoffitt
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/244307/
Whiteboard: CVSSv3:SUSE:CVE-2019-17134:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-10-08 09:55:43 UTC
Received via oss

=====================================================================
OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate
=====================================================================

:Date: October 07, 2019
:CVE: CVE-2019-17134


Affects
~~~~~~~
- Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0


Description
~~~~~~~~~~~
Daniel Preussker reported a vulnerability in amphora-agent, running
within Octavia Amphora Instances which allows unauthenticated access
from the management network. This leads to information disclosure and
also allows changes to the configuration of the Amphora via simple
HTTP requests because cmd/agent.py gunicorn cert_reqs option is
incorrectly set to True instead of ssl.CERT_REQUIRED.


Patches
~~~~~~~
- https://review.opendev.org/686547 (Ocata)
- https://review.opendev.org/686546 (Pike)
- https://review.opendev.org/686545 (Queens)
- https://review.opendev.org/686544 (Rocky)
- https://review.opendev.org/686543 (Stein)
- https://review.opendev.org/686541 (Train)


Credits
~~~~~~~
- Daniel Preussker (CVE-2019-17134)


References
~~~~~~~~~~
- https://storyboard.openstack.org/#!/story/2006660
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134


Notes
~~~~~
- The stable/ocata and stable/pike branches are under extended maintenance and
  will receive no new point releases, but patches for them are provided as a
  courtesy.
Comment 1 Alexandros Toptsoglou 2019-10-08 11:36:08 UTC
Tracked as affected the following codestreams: 

SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update

Cloud 7 is not affected since the ssl.CERT_REQUIRED is used opposed to Cloud 8 and 9
Comment 5 Swamp Workflow Management 2019-11-26 17:11:28 UTC
SUSE-SU-2019:3068-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1153304,1155942,1156525
CVE References: CVE-2019-17134,CVE-2019-18874
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1, crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1, crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1
SUSE OpenStack Cloud 9 (src):    ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1, ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1, ardana-neutron-9.0+git.1572019823.6650494-3.16.1, ardana-nova-9.0+git.1572618171.4460843-3.13.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1, venv-openstack-barbican-7.0.1~dev21-3.13.1, venv-openstack-cinder-13.0.8~dev8-3.13.1, venv-openstack-designate-7.0.1~dev22-3.13.1, venv-openstack-heat-11.0.3~dev23-3.13.1, venv-openstack-keystone-14.1.1~dev28-3.13.1, venv-openstack-magnum-7.1.1~dev28-4.13.1, venv-openstack-manila-7.3.1~dev15-3.13.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.13.1, venv-openstack-neutron-13.0.6~dev8-6.13.1, venv-openstack-nova-18.2.4~dev22-3.13.1, venv-openstack-octavia-3.2.1~dev3-4.13.1, venv-openstack-sahara-9.0.2~dev14-3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.