2015-08-06 20:14:09 |
Hemanth Makkapati |
bug |
|
|
added bug |
2015-08-06 20:15:40 |
Hemanth Makkapati |
bug |
|
|
added subscriber Brian Rosmaita |
2015-08-06 20:15:51 |
Hemanth Makkapati |
bug |
|
|
added subscriber Erno Kuvaja |
2015-08-06 20:16:00 |
Hemanth Makkapati |
bug |
|
|
added subscriber Flavio Percoco |
2015-08-06 20:16:08 |
Hemanth Makkapati |
bug |
|
|
added subscriber Stuart McLaren |
2015-08-06 20:29:02 |
Nikhil Komawar |
glance: status |
New |
Triaged |
|
2015-08-06 20:29:07 |
Nikhil Komawar |
glance: importance |
Undecided |
Critical |
|
2015-08-06 20:30:23 |
Grant Murphy |
bug task added |
|
ossa |
|
2015-08-06 20:31:13 |
Grant Murphy |
ossa: status |
New |
Incomplete |
|
2015-08-06 20:31:58 |
Grant Murphy |
bug |
|
|
added subscriber Glance Core security contacts |
2015-08-06 20:32:41 |
Nikhil Komawar |
glance: assignee |
|
nikhil komawar (nikhil-komawar) |
|
2015-08-06 20:32:44 |
Grant Murphy |
description |
Using Glance v1, one is able to change the status of an image to any one of the valid statuses by passing the header 'x-image-meta-status' with PUT on /images/<image id>. This bug provides a way for an image to transition states that are otherwise not possible in an image's lifecycle.
See http://paste.openstack.org/show/pNL7kvIZUz7cWJQwX64d/ for a reproduction of this behavior on devstack.
As shown in the above paste, though one is able to change the status of an active image to queued, uploading data after re-setting the status to queued fails with a 400[1]. Though the purpose of [1] appears to be slightly different, it's fortunately saving us from badly breaking the immutability guarantees of glance images.
[1] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L760-L765
NOTE: Marking this as a security vulnerability for now as users would be able to activate the deactivated images on their own. This probably affects deployments only where v1 is exposed publicly. However, it's probably worth discussing this from a security perspective as well. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Using Glance v1, one is able to change the status of an image to any one of the valid statuses by passing the header 'x-image-meta-status' with PUT on /images/<image id>. This bug provides a way for an image to transition states that are otherwise not possible in an image's lifecycle.
See http://paste.openstack.org/show/pNL7kvIZUz7cWJQwX64d/ for a reproduction of this behavior on devstack.
As shown in the above paste, though one is able to change the status of an active image to queued, uploading data after re-setting the status to queued fails with a 400[1]. Though the purpose of [1] appears to be slightly different, it's fortunately saving us from badly breaking the immutability guarantees of glance images.
[1] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L760-L765
NOTE: Marking this as a security vulnerability for now as users would be able to activate the deactivated images on their own. This probably affects deployments only where v1 is exposed publicly. However, it's probably worth discussing this from a security perspective as well. |
|
2015-08-07 12:52:41 |
Stuart McLaren |
bug |
|
|
added subscriber Cian O'Driscoll |
2015-08-10 17:33:08 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
2015-08-11 14:57:41 |
Stuart McLaren |
attachment added |
|
Suggested patch https://bugs.launchpad.net/glance/+bug/1482371/+attachment/4442953/+files/status.patch |
|
2015-09-08 14:10:43 |
Tristan Cacqueray |
ossa: status |
Confirmed |
In Progress |
|
2015-09-08 17:27:39 |
Grant Murphy |
summary |
Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 |
Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) |
|
2015-09-08 17:27:50 |
Grant Murphy |
cve linked |
|
2015-5251 |
|
2015-09-14 14:51:22 |
Flavio Percoco |
attachment added |
|
Juno backport https://bugs.launchpad.net/ossa/+bug/1482371/+attachment/4464098/+files/0001-Prevent-image-status-being-directly-modified-via-v1.patch-juno |
|
2015-09-14 14:51:49 |
Flavio Percoco |
attachment added |
|
Kilo backport https://bugs.launchpad.net/ossa/+bug/1482371/+attachment/4464110/+files/0001-Prevent-image-status-being-directly-modified-via-v1.patch-kilo |
|
2015-09-14 14:52:16 |
Flavio Percoco |
attachment added |
|
Liberty (using format-patch) https://bugs.launchpad.net/ossa/+bug/1482371/+attachment/4464111/+files/0001-Prevent-image-status-being-directly-modified-via-v1.patch-liberty |
|
2015-09-22 14:07:00 |
Grant Murphy |
information type |
Private Security |
Public |
|
2015-09-22 15:36:03 |
Nikhil Komawar |
glance: milestone |
|
liberty-rc1 |
|
2015-09-22 17:49:57 |
Nikhil Komawar |
glance: assignee |
nikhil komawar (nikhil-komawar) |
Stuart McLaren (stuart-mclaren) |
|
2015-09-22 18:34:59 |
OpenStack Infra |
glance: status |
Triaged |
Fix Committed |
|
2015-09-22 18:52:00 |
Tristan Cacqueray |
summary |
Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) |
[OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) |
|
2015-09-22 18:52:08 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Using Glance v1, one is able to change the status of an image to any one of the valid statuses by passing the header 'x-image-meta-status' with PUT on /images/<image id>. This bug provides a way for an image to transition states that are otherwise not possible in an image's lifecycle.
See http://paste.openstack.org/show/pNL7kvIZUz7cWJQwX64d/ for a reproduction of this behavior on devstack.
As shown in the above paste, though one is able to change the status of an active image to queued, uploading data after re-setting the status to queued fails with a 400[1]. Though the purpose of [1] appears to be slightly different, it's fortunately saving us from badly breaking the immutability guarantees of glance images.
[1] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L760-L765
NOTE: Marking this as a security vulnerability for now as users would be able to activate the deactivated images on their own. This probably affects deployments only where v1 is exposed publicly. However, it's probably worth discussing this from a security perspective as well. |
Using Glance v1, one is able to change the status of an image to any one of the valid statuses by passing the header 'x-image-meta-status' with PUT on /images/<image id>. This bug provides a way for an image to transition states that are otherwise not possible in an image's lifecycle.
See http://paste.openstack.org/show/pNL7kvIZUz7cWJQwX64d/ for a reproduction of this behavior on devstack.
As shown in the above paste, though one is able to change the status of an active image to queued, uploading data after re-setting the status to queued fails with a 400[1]. Though the purpose of [1] appears to be slightly different, it's fortunately saving us from badly breaking the immutability guarantees of glance images.
[1] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L760-L765
NOTE: Marking this as a security vulnerability for now as users would be able to activate the deactivated images on their own. This probably affects deployments only where v1 is exposed publicly. However, it's probably worth discussing this from a security perspective as well. |
|
2015-09-22 18:52:13 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2015-09-22 20:03:32 |
OpenStack Infra |
tags |
|
in-stable-kilo |
|
2015-09-22 23:55:47 |
OpenStack Infra |
tags |
in-stable-kilo |
in-stable-juno in-stable-kilo |
|
2015-09-23 15:30:17 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
2015-09-26 08:18:01 |
Thierry Carrez |
glance: status |
Fix Committed |
Fix Released |
|
2015-10-15 13:34:03 |
Thierry Carrez |
glance: milestone |
liberty-rc1 |
11.0.0 |
|
2015-11-14 10:32:03 |
Alan Pevec |
nominated for series |
|
glance/juno |
|
2015-11-14 10:32:04 |
Alan Pevec |
bug task added |
|
glance/juno |
|
2015-11-14 15:04:30 |
Alan Pevec |
glance/juno: status |
New |
Fix Committed |
|
2015-11-14 15:04:30 |
Alan Pevec |
glance/juno: milestone |
|
2014.2.4 |
|
2015-11-19 21:40:49 |
Alan Pevec |
glance/juno: status |
Fix Committed |
Fix Released |
|
2016-01-21 20:19:24 |
Dave Walker |
nominated for series |
|
glance/kilo |
|
2016-01-21 20:19:24 |
Dave Walker |
bug task added |
|
glance/kilo |
|
2016-01-21 20:19:55 |
Dave Walker |
glance/kilo: status |
New |
Fix Committed |
|
2016-01-21 20:19:55 |
Dave Walker |
glance/kilo: milestone |
|
2015.1.3 |
|
2016-01-21 23:12:57 |
Dave Walker |
glance/kilo: status |
Fix Committed |
Fix Released |
|