Bug 1694608 (CVE-2019-3895) - CVE-2019-3895 openstack-tripleo-common: Allows running new amphorae based on arbitrary images
Summary: CVE-2019-3895 openstack-tripleo-common: Allows running new amphorae based on ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3895
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190527,repor...
Depends On: 1696504 1714380 1696502 1696503
Blocks: 1694609
TreeView+ depends on / blocked
 
Reported: 2019-04-01 08:58 UTC by Andrej Nemec
Modified: 2019-07-23 00:21 UTC (History)
14 users (show)

Fixed In Version: openstack-tripleo-common-8.6.8-9, openstack-tripleo-common-9.5.0-5
Doc Type: If docs needed, set a value
Doc Text:
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:06:54 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1683 None None None 2019-07-02 19:44:18 UTC
Red Hat Product Errata RHSA-2019:1742 None None None 2019-07-10 13:01:46 UTC

Description Andrej Nemec 2019-04-01 08:58:20 UTC
An attacker may cause new amphorae to run based on any arbitrary
image. The attacker only needs to create an image in his/her own user
project, set same tag "amphora-image" and share it with the "service"
project. Upon request to spawn new amphorae, Octavia will now pick up
the compromised image.

Comment 6 Joshua Padman 2019-04-07 09:27:28 UTC
Acknowledgments:

Name: Carlos Goncalves (Red Hat)

Comment 9 Joshua Padman 2019-04-09 00:31:05 UTC
Octavia was introduced in Red Hat OpenStack 12 and has been supported in newer versions. Upstream identified the issue and the code was merged into products delivered by Red Hat, however the configuration was not set by default. This CVE covers Red Hat OpenStack Director's default deployment of Octavia being insecure.

Related upstream flaw: https://bugs.launchpad.net/octavia/+bug/1620629

Comment 11 Summer Long 2019-04-09 00:59:04 UTC
Mitigation:

To prevent this vulnerability:
1. Update Octavia's configuration setting (octavia.conf) to `amp_image_owner_id = $UUID_OF_SERVICE_PROJECT` on all Octavia nodes. 
2. Enable the new configuration by restarting both `octavia_worker` and `octavia_health_manager`.

Comment 15 Joshua Padman 2019-05-27 23:32:27 UTC
Created openstack-tripleo-common tracking bugs for this issue:

Affects: openstack-rdo [bug 1714380]

Comment 19 errata-xmlrpc 2019-07-02 19:44:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:1683 https://access.redhat.com/errata/RHSA-2019:1683

Comment 20 errata-xmlrpc 2019-07-10 13:01:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:1742 https://access.redhat.com/errata/RHSA-2019:1742

Comment 21 Product Security DevOps Team 2019-07-12 13:06:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3895

Comment 22 Summer Long 2019-07-23 00:04:56 UTC
External References:

Upstream tripleo-common bug: https://bugs.launchpad.net/tripleo/+bug/1830607
Upstream fix: https://github.com/openstack/tripleo-common/commit/e7c5eab712e0f70ecbc6d225d4766e0fe0f3f884


Note You need to log in before you can comment on or make changes to this bug.