[OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Stuart McLaren | ||
Juno |
Fix Released
|
Undecided
|
Unassigned | ||
Kilo |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Using Glance v1, one is able to change the status of an image to any one of the valid statuses by passing the header 'x-image-
See http://
As shown in the above paste, though one is able to change the status of an active image to queued, uploading data after re-setting the status to queued fails with a 400[1]. Though the purpose of [1] appears to be slightly different, it's fortunately saving us from badly breaking the immutability guarantees of glance images.
[1] https:/
NOTE: Marking this as a security vulnerability for now as users would be able to activate the deactivated images on their own. This probably affects deployments only where v1 is exposed publicly. However, it's probably worth discussing this from a security perspective as well.
CVE References
Changed in glance: | |
status: | New → Triaged |
importance: | Undecided → Critical |
description: | updated |
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in ossa: | |
status: | Confirmed → In Progress |
summary: |
Image status can be changed by passing header 'x-image-meta-status' with - PUT operation using v1 + PUT operation using v1 (CVE-2015-5251) |
information type: | Private Security → Public |
Changed in glance: | |
milestone: | none → liberty-rc1 |
Changed in glance: | |
assignee: | nikhil komawar (nikhil-komawar) → Stuart McLaren (stuart-mclaren) |
summary: |
- Image status can be changed by passing header 'x-image-meta-status' with - PUT operation using v1 (CVE-2015-5251) + [OSSA 2015-019] Image status can be changed by passing header 'x-image- + meta-status' with PUT operation using v1 (CVE-2015-5251) |
description: | updated |
Changed in ossa: | |
status: | In Progress → Fix Committed |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | liberty-rc1 → 11.0.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.