openstack octavia is vulnerable to authentication bypass. An attacker is able to bypass authentication and gain access to the application due to an incorrect configuration in cmd/agent.py
whereby the gunicorn cert_reqs
option is set to True
instead of ssl.CERT_REQUIRED
.
access.redhat.com/errata/RHSA-2019:3743
access.redhat.com/errata/RHSA-2019:3788
bugzilla.suse.com/show_bug.cgi?id=1153304
github.com/openstack/octavia/commit/1725517d1d209f26b2275306d83e49c099dcbe1a
review.opendev.org/686541
review.opendev.org/686543
review.opendev.org/686544
review.opendev.org/686545
review.opendev.org/686546
review.opendev.org/686547
security.openstack.org/ossa/OSSA-2019-005.html
storyboard.openstack.org/#!/story/2006660
usn.ubuntu.com/4153-1/