From 6f54167b05cab1ef2721d63ddee99f92d61ea14f Mon Sep 17 00:00:00 2001 From: Adam Harwell Date: Fri, 4 Oct 2019 01:04:20 -0700 Subject: [PATCH] Fix urgent amphora two-way auth security bug The value of gunicorn's option 'cert_reqs` for client-cert requirement does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`. Story: 2006660 Task: 36916 SecurityImpact: CVE-2019-17134 Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992 (cherry picked from commit 2c9af84bdfb443adb1c708d2e6d277170ad2b6a7) --- octavia/cmd/agent.py | 2 +- octavia/tests/unit/cmd/test_agent.py | 7 +++++++ ...ect-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml | 5 +++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml diff --git a/octavia/cmd/agent.py b/octavia/cmd/agent.py index 9f0c764f7c..7e8af0ed3a 100644 --- a/octavia/cmd/agent.py +++ b/octavia/cmd/agent.py @@ -74,7 +74,7 @@ def main(): 'timeout': CONF.amphora_agent.agent_request_read_timeout, 'certfile': CONF.amphora_agent.agent_server_cert, 'ca_certs': CONF.amphora_agent.agent_server_ca, - 'cert_reqs': True, + 'cert_reqs': ssl.CERT_REQUIRED, 'ssl_version': getattr(ssl, "PROTOCOL_%s" % proto), 'preload_app': True, 'accesslog': '/var/log/amphora-agent.log', diff --git a/octavia/tests/unit/cmd/test_agent.py b/octavia/tests/unit/cmd/test_agent.py index 551ab567f4..22ca4ff96b 100644 --- a/octavia/tests/unit/cmd/test_agent.py +++ b/octavia/tests/unit/cmd/test_agent.py @@ -9,6 +9,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import ssl import mock @@ -36,5 +37,11 @@ class TestAmphoraAgentCMD(base.TestCase): agent.main() + # Ensure gunicorn is initialized with the correct cert_reqs option. + # This option is what enforces use of a valid client certificate. + self.assertEqual( + ssl.CERT_REQUIRED, + mock_amp.call_args[0][1]['cert_reqs']) + mock_health_proc.start.assert_called_once_with() mock_amp_instance.run.assert_called_once() diff --git a/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml new file mode 100644 index 0000000000..e348b14877 --- /dev/null +++ b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Correctly require two-way certificate authentication to connect to the + amphora agent API (CVE-2019-17134).