PT-2019-5610 · Openstack+1 · Openstack Octavia+1
Publicado
2019-05-27
·
Atualizado
2022-05-24
·
CVE-2019-3895
CVSS v3.1
8.0
Alta
| Vetor | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenStack Octavia (affected versions not specified)
Description
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. This flaw allows a remote attacker to upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image, potentially impacting the confidentiality, integrity, and availability of protected information.
Recommendations
To prevent this vulnerability:
- Update Octavia's configuration setting (octavia.conf) to
amp image owner id = $UUID OF SERVICE PROJECTon all Octavia nodes. - Enable the new configuration by restarting both
octavia workerandoctavia health manager.
Correção
Improper Access Control
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openstack Octavia
Red Hat Openstack Platform Director