Comment 29 for bug 1549483

Been a while since I looked at this, not sure if it needs more tweaking.

Users of Glance may be able to replace active image data
---
### Summary ###
When Glance has been configured with the "show_multiple_locations"
parameter enabled it is possible for a non-admin user to replace active
image data.

### Affected Services / Software ###
Glance, Havana, Icehouse, Juno, Kilo, Liberty, Mitaka, Newton

### Discussion ###
Glance has a multiple location feature that allows a single image to be
stored in multiple places. This is intended to offer an extra degree of
resilience by improving the availability of Glance images.
This feature involves a user pushing a new location for an image via the
Glance API. However, this process does not involve a checksum of the
existing or newly created image locations - allowing a malicious user to
push a different or altered image as an alternative location for an
existing one.
An attacker could add a malicious image to a location for an existing
one potentially leading to other users of the cloud unknowingly using
the malicious image.

### Recommended Actions ###
In production clouds the image publish policy should be enabled to avoid
non-admin users publishing images that can be used by other users of the
cloud. This does not mitigate the issue completely but it does
constrain the issue an individual user.

Cloud operators should updating their Glance configuration such that “set_image_location” and “delete_image_location” are restricted to cloud admins and owner & project admin.

### Contacts / References ###
This OSSN : <link to OSSN on wiki>
Original LaunchPad Bug : <link to launchpad bug for affected project/service>
OpenStack Security ML : <email address hidden>
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Multiple Image Location BP : https://blueprints.launchpad.net/glance/+spec/multiple-image-locations
CVE: <CVE number if one was filed>