When you’re on vacation and just can’t stay still so you start poking around new things…

This time it lead me to discover a severe authentication bypass in OpenStack Octavia LBaaS or better known as CVE-2019-17134 or OSSA-2019-005.

Patches are available now through pip and RDO. Ubuntu is currently polishing up the packages and will follow soon.

The attack vector requires the adversary to be on the management network of the LBaaS component, sadly this is often the case to eliminate network complexity.

This issue is a perfect example for the importance of Security in Depth. You cannot rely on a single lock to keep your systems secured.

It was a fun weekend together with the Development Team of Octavia to solve this and get all the paperwork done for OpenStack’s Vulnerability Management Team.

MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134

OSSA: https://security.openstack.org/ossa/OSSA-2019-005.html