VYPR
← All advisories
Critical severityNVD Advisory· Published Oct 8, 2019· Updated Aug 5, 2024

CVE-2019-17134

CVE-2019-17134

Description

Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenStack Octavia's amphora agent HTTPS endpoint accepts any client connection due to misconfigured SSL certificate verification, allowing unauthenticated access.

Vulnerability

CVE-2019-17134 is a client-certificate authentication bypass in OpenStack Octavia's amphora agent. The agent's HTTPS endpoint on port 9443 is intended to require mutual TLS (mTLS) authentication, but a programming error in cmd/agent.py sets the gunicorn cert_reqs option to the Python boolean True instead of the constant ssl.CERT_REQUIRED. Because True evaluates to a value that does not enforce certificate validation, the server accepts connections without requiring a valid client certificate [1][2].

Exploitation

An attacker who has network access to the Octavia management network (i.e., can reach the amphora agent on port 9443) can send arbitrary HTTP requests to the agent. No client certificate is needed, and no authentication credentials are required. The vulnerability affects Octavia versions 0.10.0 through 2.1.1, 3.0.0 through 3.1.0, and 4.0.0 through 4.0.0 [1].

Impact

Successful exploitation allows an unauthenticated attacker to retrieve sensitive information from the amphora agent or issue configuration commands that the agent would normally reject. This could lead to unauthorized control of load balancer amphorae, potentially compromising the entire Octavia load-balancing service and the workloads it handles.

Mitigation

The fix, committed in OpenStack Octavia [2][3][4], replaces 'cert_reqs': True with 'cert_reqs': ssl.CERT_REQUIRED and adds the necessary import ssl statement. Users should upgrade to Octavia 2.1.2, 3.2.0, or 4.1.0, or apply the patch directly. No workaround is available beyond restricting network access to the management network.

References
  1. NVD - CVE-2019-17134
  2. Fix urgent amphora two-way auth security bug · openstack/octavia@2976a7f
  3. Fix urgent amphora two-way auth security bug · openstack/octavia@c2fdffc
  4. Fix urgent amphora two-way auth security bug · openstack/octavia@1725517

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
octaviaPyPI
>= 0.10.0, < 2.1.22.1.2
octaviaPyPI
>= 3.0.0, < 3.2.03.2.0
octaviaPyPI
>= 4.0.0, < 4.1.04.1.0

Affected products

43

Patches

6
1725517d1d20

Fix urgent amphora two-way auth security bug

https://github.com/openstack/octaviaAdam HarwellOct 4, 2019via ghsa
commit
3 files changed · +14 1
  • octavia/cmd/agent.py+2 1 modified
    @@ -15,6 +15,7 @@
 # make sure PYTHONPATH includes the home directory if you didn't install
 
 import multiprocessing as multiproc
+import ssl
 import sys
 
 import gunicorn.app.base
@@ -74,7 +75,7 @@ def main():
         'timeout': CONF.amphora_agent.agent_request_read_timeout,
         'certfile': CONF.amphora_agent.agent_server_cert,
         'ca_certs': CONF.amphora_agent.agent_server_ca,
-        'cert_reqs': True,
+        'cert_reqs': ssl.CERT_REQUIRED,
         'preload_app': True,
         'accesslog': '/var/log/amphora-agent.log',
         'errorlog': '/var/log/amphora-agent.log',
  • octavia/tests/unit/cmd/test_agent.py+7 0 modified
    @@ -9,6 +9,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import ssl
 
 import mock
 
@@ -36,5 +37,11 @@ def test_main(self, mock_service, mock_process, mock_server, mock_amp):
 
         agent.main()
 
+        # Ensure gunicorn is initialized with the correct cert_reqs option.
+        # This option is what enforces use of a valid client certificate.
+        self.assertEqual(
+            ssl.CERT_REQUIRED,
+            mock_amp.call_args[0][1]['cert_reqs'])
+
         mock_health_proc.start.assert_called_once_with()
         mock_amp_instance.run.assert_called_once()
  • releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml+5 0 added
    @@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Correctly require two-way certificate authentication to connect to the
+    amphora agent API (CVE-2019-17134).
89a2f6e0136a

Fix urgent amphora two-way auth security bug

https://github.com/openstack/octaviaAdam HarwellOct 4, 2019via ghsa
commit
3 files changed · +14 1
  • octavia/cmd/agent.py+2 1 modified
    @@ -15,6 +15,7 @@
 # make sure PYTHONPATH includes the home directory if you didn't install
 
 import multiprocessing as multiproc
+import ssl
 import sys
 
 import gunicorn.app.base
@@ -74,7 +75,7 @@ def main():
         'timeout': CONF.amphora_agent.agent_request_read_timeout,
         'certfile': CONF.amphora_agent.agent_server_cert,
         'ca_certs': CONF.amphora_agent.agent_server_ca,
-        'cert_reqs': True,
+        'cert_reqs': ssl.CERT_REQUIRED,
         'preload_app': True,
         'accesslog': '/var/log/amphora-agent.log',
         'errorlog': '/var/log/amphora-agent.log',
  • octavia/tests/unit/cmd/test_agent.py+7 0 modified
    @@ -9,6 +9,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import ssl
 
 import mock
 
@@ -36,5 +37,11 @@ def test_main(self, mock_service, mock_process, mock_server, mock_amp):
 
         agent.main()
 
+        # Ensure gunicorn is initialized with the correct cert_reqs option.
+        # This option is what enforces use of a valid client certificate.
+        self.assertEqual(
+            ssl.CERT_REQUIRED,
+            mock_amp.call_args[0][1]['cert_reqs'])
+
         mock_health_proc.start.assert_called_once_with()
         mock_amp_instance.run.assert_called_once()
  • releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml+5 0 added
    @@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Correctly require two-way certificate authentication to connect to the
+    amphora agent API (CVE-2019-17134).
624ff08f27bc

Fix urgent amphora two-way auth security bug

https://github.com/openstack/octaviaAdam HarwellOct 4, 2019via ghsa
commit
3 files changed · +14 1
  • octavia/cmd/agent.py+2 1 modified
    @@ -15,6 +15,7 @@
 # make sure PYTHONPATH includes the home directory if you didn't install
 
 import multiprocessing as multiproc
+import ssl
 import sys
 
 import gunicorn.app.base
@@ -74,7 +75,7 @@ def main():
         'timeout': CONF.amphora_agent.agent_request_read_timeout,
         'certfile': CONF.amphora_agent.agent_server_cert,
         'ca_certs': CONF.amphora_agent.agent_server_ca,
-        'cert_reqs': True,
+        'cert_reqs': ssl.CERT_REQUIRED,
         'preload_app': True,
         'accesslog': '/var/log/amphora-agent.log',
         'errorlog': '/var/log/amphora-agent.log',
  • octavia/tests/unit/cmd/test_agent.py+7 0 modified
    @@ -9,6 +9,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import ssl
 
 import mock
 
@@ -36,5 +37,11 @@ def test_main(self, mock_service, mock_process, mock_server, mock_amp):
 
         agent.main()
 
+        # Ensure gunicorn is initialized with the correct cert_reqs option.
+        # This option is what enforces use of a valid client certificate.
+        self.assertEqual(
+            ssl.CERT_REQUIRED,
+            mock_amp.call_args[0][1]['cert_reqs'])
+
         mock_health_proc.start.assert_called_once_with()
         mock_amp_instance.run.assert_called_once()
  • releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml+5 0 added
    @@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Correctly require two-way certificate authentication to connect to the
+    amphora agent API (CVE-2019-17134).
2976a7f0f109

Fix urgent amphora two-way auth security bug

https://github.com/openstack/octaviaAdam HarwellOct 4, 2019via ghsa
commit
3 files changed · +14 1
  • octavia/cmd/agent.py+2 1 modified
    @@ -15,6 +15,7 @@
 # make sure PYTHONPATH includes the home directory if you didn't install
 
 import multiprocessing as multiproc
+import ssl
 import sys
 
 import gunicorn.app.base
@@ -74,7 +75,7 @@ def main():
         'timeout': CONF.amphora_agent.agent_request_read_timeout,
         'certfile': CONF.amphora_agent.agent_server_cert,
         'ca_certs': CONF.amphora_agent.agent_server_ca,
-        'cert_reqs': True,
+        'cert_reqs': ssl.CERT_REQUIRED,
         'preload_app': True,
         'accesslog': '/var/log/amphora-agent.log',
         'errorlog': '/var/log/amphora-agent.log',
  • octavia/tests/unit/cmd/test_agent.py+7 0 modified
    @@ -9,6 +9,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import ssl
 
 import mock
 
@@ -36,5 +37,11 @@ def test_main(self, mock_service, mock_process, mock_server, mock_amp):
 
         agent.main()
 
+        # Ensure gunicorn is initialized with the correct cert_reqs option.
+        # This option is what enforces use of a valid client certificate.
+        self.assertEqual(
+            ssl.CERT_REQUIRED,
+            mock_amp.call_args[0][1]['cert_reqs'])
+
         mock_health_proc.start.assert_called_once_with()
         mock_amp_instance.run.assert_called_once()
  • releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml+5 0 added
    @@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Correctly require two-way certificate authentication to connect to the
+    amphora agent API (CVE-2019-17134).
c2fdffc3b748

Fix urgent amphora two-way auth security bug

https://github.com/openstack/octaviaAdam HarwellOct 4, 2019via ghsa
commit
3 files changed · +14 1
  • octavia/cmd/agent.py+2 1 modified
    @@ -15,6 +15,7 @@
 # make sure PYTHONPATH includes the home directory if you didn't install
 
 import multiprocessing as multiproc
+import ssl
 import sys
 
 import gunicorn.app.base
@@ -75,7 +76,7 @@ def main():
         'timeout': CONF.amphora_agent.agent_request_read_timeout,
         'certfile': CONF.amphora_agent.agent_server_cert,
         'ca_certs': CONF.amphora_agent.agent_server_ca,
-        'cert_reqs': True,
+        'cert_reqs': ssl.CERT_REQUIRED,
         'preload_app': True,
         'accesslog': '/var/log/amphora-agent.log',
         'errorlog': '/var/log/amphora-agent.log',
  • octavia/tests/unit/cmd/test_agent.py+7 0 modified
    @@ -9,6 +9,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import ssl
 
 import mock
 
@@ -36,5 +37,11 @@ def test_main(self, mock_service, mock_process, mock_server, mock_amp):
 
         agent.main()
 
+        # Ensure gunicorn is initialized with the correct cert_reqs option.
+        # This option is what enforces use of a valid client certificate.
+        self.assertEqual(
+            ssl.CERT_REQUIRED,
+            mock_amp.call_args[0][1]['cert_reqs'])
+
         mock_health_proc.start.assert_called_once_with()
         mock_amp_instance.run.assert_called_once()
  • releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml+5 0 added
    @@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Correctly require two-way certificate authentication to connect to the
+    amphora agent API (CVE-2019-17134).
b0c2cd7b4c83

Fix urgent amphora two-way auth security bug

https://github.com/openstack/octaviaAdam HarwellOct 4, 2019via ghsa
commit
3 files changed · +13 1
  • octavia/cmd/agent.py+1 1 modified
    @@ -74,7 +74,7 @@ def main():
         'timeout': CONF.amphora_agent.agent_request_read_timeout,
         'certfile': CONF.amphora_agent.agent_server_cert,
         'ca_certs': CONF.amphora_agent.agent_server_ca,
-        'cert_reqs': True,
+        'cert_reqs': ssl.CERT_REQUIRED,
         'ssl_version': getattr(ssl, "PROTOCOL_%s" % proto),
         'preload_app': True,
         'accesslog': '/var/log/amphora-agent.log',
  • octavia/tests/unit/cmd/test_agent.py+7 0 modified
    @@ -9,6 +9,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import ssl
 
 import mock
 
@@ -36,5 +37,11 @@ def test_main(self, mock_service, mock_process, mock_server, mock_amp):
 
         agent.main()
 
+        # Ensure gunicorn is initialized with the correct cert_reqs option.
+        # This option is what enforces use of a valid client certificate.
+        self.assertEqual(
+            ssl.CERT_REQUIRED,
+            mock_amp.call_args[0][1]['cert_reqs'])
+
         mock_health_proc.start.assert_called_once_with()
         mock_amp_instance.run.assert_called_once()
  • releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml+5 0 added
    @@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Correctly require two-way certificate authentication to connect to the
+    amphora agent API (CVE-2019-17134).

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

21

News mentions

0

No linked articles in our index yet.