Impact: Moderate Public Date: 2019-05-27 CWE: CWE-284 Bugzilla: 1694608: CVE-2019-3895 openstack-tripleo-common: Allows running new amphorae based on arbitrary images An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.
Find out more about CVE-2019-3895 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 14.0 (Rocky) | openstack-tripleo-common | Affected |
| Red Hat OpenStack Platform 13.0 (Queens) | openstack-tripleo-common | Affected |
To prevent this vulnerability:
1. Update Octavia's configuration setting (octavia.conf) to `amp_image_owner_id = $UUID_OF_SERVICE_PROJECT` on all Octavia nodes.
2. Enable the new configuration by restarting both `octavia_worker` and `octavia_health_manager`.
Vulmon