Bug 1694608 (CVE-2019-3895) - CVE-2019-3895 openstack-tripleo-common: Allows running new amphorae based on arbitrary images
Summary: CVE-2019-3895 openstack-tripleo-common: Allows running new amphorae based on ...
Status: NEW
Alias: CVE-2019-3895
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190527,repor...
Keywords: Security
Depends On: 1696502 1696503 1696504 1714380
Blocks: 1694609
TreeView+ depends on / blocked
 
Reported: 2019-04-01 08:58 UTC by Andrej Nemec
Modified: 2019-06-05 04:41 UTC (History)
14 users (show)

(edit)
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2019-04-01 08:58:20 UTC
An attacker may cause new amphorae to run based on any arbitrary
image. The attacker only needs to create an image in his/her own user
project, set same tag "amphora-image" and share it with the "service"
project. Upon request to spawn new amphorae, Octavia will now pick up
the compromised image.

Comment 6 Joshua Padman 2019-04-07 09:27:28 UTC
Acknowledgments:

Name: Carlos Goncalves (Red Hat)

Comment 9 Joshua Padman 2019-04-09 00:31:05 UTC
Octavia was introduced in Red Hat OpenStack 12 and has been supported in newer versions. Upstream identified the issue and the code was merged into products delivered by Red Hat, however the configuration was not set by default. This CVE covers Red Hat OpenStack Director's default deployment of Octavia being insecure.

Related upstream flaw: https://bugs.launchpad.net/octavia/+bug/1620629

Comment 11 Summer Long 2019-04-09 00:59:04 UTC
Mitigation:

To prevent this vulnerability:
1. Update Octavia's configuration setting (octavia.conf) to `amp_image_owner_id = $UUID_OF_SERVICE_PROJECT` on all Octavia nodes. 
2. Enable the new configuration by restarting both `octavia_worker` and `octavia_health_manager`.

Comment 15 Joshua Padman 2019-05-27 23:32:27 UTC
Created openstack-tripleo-common tracking bugs for this issue:

Affects: openstack-rdo [bug 1714380]


Note You need to log in before you can comment on or make changes to this bug.