Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 8 Oct 2019 11:24:09 +0200
From: Daniel 'f0o' Preussker <>
Subject: [OSSA-2019-005] Octavia Amphora-Agent not requiring
 Client-Certificate (CVE-2019-17134)

OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate

:Date: October 07, 2019
:CVE: CVE-2019-17134

- Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0

Daniel Preussker reported a vulnerability in amphora-agent, running
within Octavia Amphora Instances which allows unauthenticated access
from the management network. This leads to information disclosure and
also allows changes to the configuration of the Amphora via simple
HTTP requests because cmd/ gunicorn cert_reqs option is
incorrectly set to True instead of ssl.CERT_REQUIRED.

- (Ocata)
- (Pike)
- (Queens)
- (Rocky)
- (Stein)
- (Train)

- Daniel Preussker (CVE-2019-17134)


- The stable/ocata and stable/pike branches are under extended maintenance and
  will receive no new point releases, but patches for them are provided as a

Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.