CVE-2019-17134

Name of the Vulnerable Software and Affected Versions OpenStack Octavia versions 0.10.0 through 2.1.2 OpenStack Octavia versions 3.0.0 through 3.2.0 OpenStack Octavia versions 4.0.0 through 4.1.0

Description The issue is related to a flaw in the authentication procedure of the Amphora load balancer in OpenStack Octavia. This flaw allows an attacker with access to the management network to bypass client-certificate based authentication. As a result, the attacker can retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443. The problem arises because the cmd/agent.py gunicorn cert reqs option is set to True but should be set to ssl.CERT REQUIRED.

Recommendations For OpenStack Octavia versions 0.10.0 through 2.1.2, update to version 2.1.2 or later to resolve the issue. For OpenStack Octavia versions 3.0.0 through 3.2.0, update to version 3.2.0 or later to resolve the issue. For OpenStack Octavia versions 4.0.0 through 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Agent on port https/9443 to minimize the risk of exploitation.