Login Sign Up

CVE-2019-17134

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers with access to the OpenStack Octavia management network to bypass client-certificate authentication and issue unauthorized configuration commands or retrieve sensitive information via HTTP requests to port 9443. It affects OpenStack Octavia deployments using Amphora Images with specific versions. The issue stems from incorrect SSL certificate requirement configuration in the agent.

💻 Affected Systems

Products:
  • OpenStack Octavia
Versions: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0
Operating Systems: Linux distributions running OpenStack
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using Amphora Images. Requires access to the management network where the Octavia agent runs on port 9443.

📦 What is this software?

Octavia by Opendev

View all CVEs affecting Octavia →

Octavia by Opendev

View all CVEs affecting Octavia →

Octavia by Opendev

View all CVEs affecting Octavia →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of load balancer infrastructure, allowing attackers to redirect traffic, intercept sensitive data, or disrupt services across the entire OpenStack deployment.

🟠

Likely Case

Unauthorized configuration changes to load balancers, service disruption, or information disclosure about the load balancing infrastructure.

🟢

If Mitigated

Limited impact if proper network segmentation isolates the management network and strict access controls are implemented.

🌐 Internet-Facing: LOW (requires access to management network which should not be internet-facing)
🏢 Internal Only: HIGH (anyone with internal management network access can exploit this vulnerability)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the management interface but no authentication. Simple HTTP requests can bypass the intended certificate authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.2, 3.2.0, 4.1.0 or later

Vendor Advisory: https://review.opendev.org/686541

Restart Required: Yes

Instructions:

1. Update OpenStack Octavia to version 2.1.2, 3.2.0, 4.1.0 or later. 2. Restart Octavia services. 3. Update Amphora Images to patched versions. 4. Verify certificate authentication is properly enforced.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to the management network (port 9443) to only authorized administrative systems using firewall rules.

iptables -A INPUT -p tcp --dport 9443 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 9443 -j DROP

Certificate Enforcement

linux

Manually configure the agent to enforce client certificate authentication by setting cert_reqs to ssl.CERT_REQUIRED.

Edit /etc/octavia/octavia.conf and ensure [amphora_agent] cert_reqs = CERT_REQUIRED

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to port 9443 on the management network
  • Monitor all traffic to port 9443 for unauthorized access attempts and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Octavia version with: octavia-api --version. If version is within affected ranges and Amphora Images are used, the system is vulnerable.

Check Version:

octavia-api --version

Verify Fix Applied:

After patching, test that HTTP requests without valid client certificates are rejected on port 9443. Verify version is 2.1.2+, 3.2.0+, or 4.1.0+.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to port 9443 in Octavia agent logs
  • Failed certificate authentication events
  • Unexpected configuration changes to load balancers

Network Indicators:

  • HTTP traffic to port 9443 without proper TLS handshake
  • Unusual traffic patterns from non-administrative systems to management network

SIEM Query:

source="octavia.log" AND "9443" AND ("unauthorized" OR "certificate" OR "authentication failed")

📊 Metadata

CVE ID: CVE-2019-17134
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-287
Published: October 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17134, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)