[OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493)
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Grant Murphy | |||
Icehouse |
Fix Released
|
Critical
|
Zhi Yan Liu | |||
Juno |
Fix Released
|
Critical
|
Zhi Yan Liu | |||
Juniper Openstack | Status tracked in Trunk | |||||
Trunk |
Invalid
|
Critical
|
Unassigned | |||
OpenStack Security Advisory |
Fix Released
|
Critical
|
Grant Murphy | |||
OpenStack-Ansible |
Fix Released
|
Critical
|
Ian Cordasco | |||
Icehouse |
Fix Released
|
Critical
|
Ian Cordasco | |||
Juno |
Fix Released
|
Critical
|
Ian Cordasco |
Bug Description
Updating image-location by update images API users can download any file for which glance-api has read permission.
And the file for which glance-api has write permission will be deleted when users delete the image.
For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.
When locations of an image is set with 'file:/
How to recreate the bug:
download files:
- set show_multiple_
- create a new image
- set locations of the image's property a path you want to get such as file:///etc/passwd.
- download the image
delete files:
- set show_multiple_
- create a new image
- set locations of the image's property a path you want to delete such as file://
- delete the image
I found this bug in 2014.2 (742c898956d655
What a big A RE RE!!
CVE References
summary: |
- Glance allows users to download any file in glance-api server + Glance allows users to download and delete any file in glance-api server |
description: | updated |
Changed in ossa: | |
status: | New → Incomplete |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
Changed in glance: | |
assignee: | nobody → Zhi Yan Liu (lzy-dev) |
Changed in glance: | |
milestone: | none → kilo-1 |
status: | Confirmed → In Progress |
tags: | added: havana-backport-potential |
Changed in glance: | |
status: | In Progress → Fix Committed |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
status: | Confirmed → In Progress |
summary: |
- Glance allows users to download and delete any file in glance-api server + [OSSA-2014-041] Glance allows users to download and delete any file in + glance-api server (CVE-2014-9493) |
Changed in openstack-ansible: | |
importance: | Undecided → Critical |
assignee: | nobody → Ian Cordasco (icordasc) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in openstack-ansible: | |
milestone: | none → 9.0.6 |
milestone: | 9.0.6 → 10.1.2 |
Changed in openstack-ansible: | |
milestone: | 10.1.2 → 9.0.6 |
milestone: | 9.0.6 → none |
no longer affects: | openstack-ansible/next |
Changed in glance: | |
milestone: | kilo-1 → 2015.1.0 |
Changed in openstack-ansible: | |
status: | Fix Committed → Fix Released |
Thanks for the report, the OSSA task is set to incomplete pending additional security review from glance-coresec.