Bug 1153304 - (CVE-2019-17134) VUL-0: CVE-2019-17134: openstack-octavia: Octavia Amphora-Agent not requiring Client-Certificate
(CVE-2019-17134)
VUL-0: CVE-2019-17134: openstack-octavia: Octavia Amphora-Agent not requiring...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/244307/
CVSSv3:SUSE:CVE-2019-17134:6.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-08 09:55 UTC by Alexandros Toptsoglou
Modified: 2020-06-11 12:20 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-10-08 09:55:43 UTC
Received via oss

=====================================================================
OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate
=====================================================================

:Date: October 07, 2019
:CVE: CVE-2019-17134


Affects
~~~~~~~
- Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0


Description
~~~~~~~~~~~
Daniel Preussker reported a vulnerability in amphora-agent, running
within Octavia Amphora Instances which allows unauthenticated access
from the management network. This leads to information disclosure and
also allows changes to the configuration of the Amphora via simple
HTTP requests because cmd/agent.py gunicorn cert_reqs option is
incorrectly set to True instead of ssl.CERT_REQUIRED.


Patches
~~~~~~~
- https://review.opendev.org/686547 (Ocata)
- https://review.opendev.org/686546 (Pike)
- https://review.opendev.org/686545 (Queens)
- https://review.opendev.org/686544 (Rocky)
- https://review.opendev.org/686543 (Stein)
- https://review.opendev.org/686541 (Train)


Credits
~~~~~~~
- Daniel Preussker (CVE-2019-17134)


References
~~~~~~~~~~
- https://storyboard.openstack.org/#!/story/2006660
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134


Notes
~~~~~
- The stable/ocata and stable/pike branches are under extended maintenance and
  will receive no new point releases, but patches for them are provided as a
  courtesy.
Comment 1 Alexandros Toptsoglou 2019-10-08 11:36:08 UTC
Tracked as affected the following codestreams: 

SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update

Cloud 7 is not affected since the ssl.CERT_REQUIRED is used opposed to Cloud 8 and 9
Comment 5 Swamp Workflow Management 2019-11-26 17:11:28 UTC
SUSE-SU-2019:3068-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1153304,1155942,1156525
CVE References: CVE-2019-17134,CVE-2019-18874
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1, crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1, crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1
SUSE OpenStack Cloud 9 (src):    ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1, ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1, ardana-neutron-9.0+git.1572019823.6650494-3.16.1, ardana-nova-9.0+git.1572618171.4460843-3.13.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1, venv-openstack-barbican-7.0.1~dev21-3.13.1, venv-openstack-cinder-13.0.8~dev8-3.13.1, venv-openstack-designate-7.0.1~dev22-3.13.1, venv-openstack-heat-11.0.3~dev23-3.13.1, venv-openstack-keystone-14.1.1~dev28-3.13.1, venv-openstack-magnum-7.1.1~dev28-4.13.1, venv-openstack-manila-7.3.1~dev15-3.13.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.13.1, venv-openstack-neutron-13.0.6~dev8-6.13.1, venv-openstack-nova-18.2.4~dev22-3.13.1, venv-openstack-octavia-3.2.1~dev3-4.13.1, venv-openstack-sahara-9.0.2~dev14-3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.