cbcvebase.
CVE-2019-17134
published 2019-10-08

CVE-2019-17134: Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based…

PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
2.30%
81.1th percentile
Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.

Affected

12 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
debianoctavia< octavia 4.0.0-6 (bookworm)octavia 4.0.0-6 (bookworm)
opendevoctavia>= 0.10.0 < 2.1.22.1.2
opendevoctavia>= 3.0.0 < 3.2.03.2.0
opendevoctavia>= 4.0.0 < 4.1.04.1.0
openstackoctavia>= 0 < 4.0.0-64.0.0-6
openstackoctavia>= 0 < 4.0.0-64.0.0-6
openstackoctavia>= 0 < 4.0.0-64.0.0-6
openstackoctavia>= 0 < 4.0.0-64.0.0-6
openstackoctavia>= 0.10.0 < 2.1.22.1.2
openstackoctavia>= 3.0.0 < 3.2.03.2.0
openstackoctavia>= 4.0.0 < 4.1.04.1.0

Detection & IOCsextracted from sources · hover to see the quote

port9443
pathcmd/agent.py
  • Monitor for unauthenticated HTTP requests (no client certificate) to the Octavia amphora-agent on port 9443 from the management network — these should normally require mutual TLS but the misconfiguration allows plain requests through.
  • The root cause is gunicorn's cert_reqs set to True (boolean) instead of ssl.CERT_REQUIRED; audit amphora agent configurations for this misconfiguration to identify vulnerable deployments.
  • Affected versions are Octavia >=0.10.0, =3.0.0, =4.0.0, <4.1.0 — use version detection to identify unpatched amphora images in the environment.
  • Scope exploitation attempts to the management network; lateral movement or reconnaissance from within that network segment targeting port 9443 without presenting a client certificate is a strong indicator of exploitation.
  • ·The vulnerability is a misconfiguration in gunicorn's TLS settings: cert_reqs is set to the boolean True instead of ssl.CERT_REQUIRED, meaning client certificates are NOT actually enforced despite appearing to be configured.
  • ·There is no workaround or mitigation available; the only fix is applying the vendor-supplied updates.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.