Update Octavia-* packages as per OSSA-2019-005 / CVE-2019-17134

Worth to notice;

Amphora images built against 4.1.0 will not be able to be booted up from current stein packages unless octavia-worker is also updated to 4.1.0.

Similar issues are to be expected in the other releases.

Train release (5.0.0.0rc1) is also vulnerable and has a fix committed to 5.0.0.0rc2.

Octavia was introduced to Ubuntu at Rocky, so updates only needed for rocky/stein/train.

Raised bug tasks as appropriate.

As this is already public upstream in OpenStack, making this bug public security.

Update for disco-security for ubuntu-security-sponsors to review.

I've also uploaded to rocky-staging for the UCA; this will be accepted into proposed once the main distro tasks for disco and eoan are in-flight.

octavia is currently building in the security proposed PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once it's done, could you please test it? I'll publish it as a security update once it's been tested.

Thanks!

This bug was fixed in the package octavia - 5.0.0~rc2-0ubuntu1

---------------
octavia (5.0.0~rc2-0ubuntu1) eoan; urgency=high

  * SECURITY UPDATE: New upstream release candidate including
    security fix to enforce two-way authentication between
    amphora agents and the octavia control plane (LP: #1847243):
    - CVE-2019-17134

 -- James Page <email address hidden> Wed, 09 Oct 2019 17:23:31 +0100

Hi Marc,

I'm afraid a patch-fix will not work because amphora images are created by the end-user using `diskimage-create.sh` which uses pip/git to pull the agent.

Although I do understand that from a OS Maintainer's perspective this patch solves the issue outlined in the CVE and keeps aligned to the release versions.

I must add that from an Operator's perspective this will either break current setups:
An operator would create an image based on version 4.1.0 which is incompatible to 4.0.0 but is the earliest tag/release with the fix from upstream
- Or -
Remain being vulnerable by rebuilding a 4.0.0 tagged amphora-image which does not have the CVE fix and yet being suggested it would by the Ubuntu Advisory.

I looked at the way `diskimage-create.sh` creates the images for Ubuntu and it does include a flag `'-p' install amphora-agent from distribution packages (default: disabled)` but this is broken because it tries to use `amphora-agent` as package and does not care about UCA.

I've poked the Octavia Development Team about this as well.

One possible solution to keeping a fixed release (4.0.0) and do patch-updates for security is to provide Amphora-Images by Ubuntu directly. This way you can assure that these images come with your package. The drawback is that it needs a maintainer and causes labor on Canonical/Ubuntu's side.

Update:
Ok, it just can't find amphora-agent because it's looking into the wrong repositories regardless of the config. My bad. I could find the amphora-agent package in the repository manually.

/Daniel

Hello Daniel, or anyone else affected,

Accepted octavia into rocky-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:rocky-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-rocky-needed to verification-rocky-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-rocky-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hi Daniel

As a distro all we can do is provide the patched packages to resolve the CVE; yes there are operator actions that need to be undertaken to refresh amphora.

As to how to build amphora images that use the Ubuntu Cloud Archive - take a look at:

  https://snapcraft.io/octavia-diskimage-retrofit

this tool will take a stock Ubuntu cloud image, and overlay the required packages from a configurable openstack release into it from octavia.

Hi James,

Thanks for the link!

I honestly didn't know that tool existed and neither did the Octavia Team Members I interacted with.

I will rebuild an image right away and give it a shot.

/Daniel

Its fairly new and was for some work that we did around the octavia charm tooling for the last development cycle for the openstack charms project.

Frode and I are working on some fixes/improvements to a) support disco so we can test something other than bionic and b) allow installation of pkgs from disco-proposed or a PPA to help with validating this type of update.

Hello Daniel, or anyone else affected,

Accepted octavia into stein-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:stein-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-stein-needed to verification-stein-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-stein-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

@mdeslaur

Update in the security proposed PPA tested OK - links to testing:

https://pastebin.ubuntu.com/p/M4kb8v6wKF/
http://pastebin.ubuntu.com/p/tTByNbgdpj

Thankyou fnordhal for the testing.

Thanks james-page, thanks fnordhal!

This bug was fixed in the package octavia - 4.0.0-0ubuntu1.2

---------------
octavia (4.0.0-0ubuntu1.2) disco-security; urgency=medium

  * SECURITY UPDATE: Enforce two-way authentication between amphora
    agents and the octavia control plane (LP: #1847243):
    - d/p/CVE-2019-17134.patch
    - CVE-2019-17134

 -- James Page <email address hidden> Wed, 09 Oct 2019 17:41:42 +0100

This bug was fixed in the package octavia - 5.0.0~rc2-0ubuntu1~cloud0
---------------

 octavia (5.0.0~rc2-0ubuntu1~cloud0) bionic-train; urgency=medium
 .
   * New upstream release for the Ubuntu Cloud Archive.
 .
 octavia (5.0.0~rc2-0ubuntu1) eoan; urgency=high
 .
   * SECURITY UPDATE: New upstream release candidate including
     security fix to enforce two-way authentication between
     amphora agents and the octavia control plane (LP: #1847243):
     - CVE-2019-17134

cloud-archive/stein tested and working correctly

Verified Version 4.0.0-0ubuntu1.2~cloud0

(Hit enter too fast)

Verification of bionic-stein/proposed completed successfully (verified using charms+zaza and based on feedback in #20 and #21).

Note that due to the operational complexity of applying this update, I won't release the UCA updates until next week - unleashing operation hell on operators on a Friday is just unkind.

bionic-rocky/proposed also verified successfully.

Updates for bionic/stein and bionic/rocky will be released today; amphora images must be rebuild prior to applying package updates for octavia-worker, and all active amphora will need to be refreshed as part of the change.

The verification of the Stable Release Update for octavia has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package octavia - 4.0.0-0ubuntu1.2~cloud0
---------------

 octavia (4.0.0-0ubuntu1.2~cloud0) bionic; urgency=medium
 .
   * New security update for the Ubuntu Cloud Archive.
 .
 octavia (4.0.0-0ubuntu1.2) disco-security; urgency=medium
 .
   * SECURITY UPDATE: Enforce two-way authentication between amphora
     agents and the octavia control plane (LP: #1847243):
     - d/p/CVE-2019-17134.patch
     - CVE-2019-17134

The verification of the Stable Release Update for octavia has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package octavia - 3.0.0-0ubuntu3.1~cloud0
---------------

 octavia (3.0.0-0ubuntu3.1~cloud0) bionic; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/rocky branch.
 .
   [ James Page ]
   * SECURITY UPDATE: Enforce two-way authentication between amphora
     agents and the octavia control plane (LP: #1847243):
     - d/p/CVE-2019-17134.patch
     - CVE-2019-17134