Mirantis OpenStack

User can change image status directly with v1 API

Series 6.1.x
Bug #1496798

Bug #1496798 reported by Mike Fedosin on 2015-09-17

262

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	Critical	Mike Fedosin	Mirantis OpenStack 8.0
5.1.x	Fix Released	Critical	Sergii Rizvan	Mirantis OpenStack 5.1.1-mu-2
6.0.x	Fix Released	Critical	Sergii Rizvan	Mirantis OpenStack 6.0-mu-7
6.1.x	Fix Released	Critical	Sergii Rizvan	Mirantis OpenStack 6.1-mu-3
7.0.x	Fix Released	Critical	Mike Fedosin	Mirantis OpenStack 7.0
8.0.x	Fix Released	Critical	Mike Fedosin	Mirantis OpenStack 8.0

Bug Description

This issue was found in upstream and I think we have to fix it asap:

"By submitting a HTTP PUT request with a
'x-image-meta-status' header, a tenant can manipulate the
status of their images. A malicious tenant may exploit this
flaw to reactivate disabled images, bypass storage quotas and
in some cases replace image contents. Setups using the Glance
v1 API allow the illegal modification of image status. Setups
which also use the v2 API may allow a subsequent re-upload of
image contents."

There is a patch for upstream Kilo, patch for MOS 7.0 will be done today.

Tags:

CVE References

2015-5251

Revision history for this message

Mike Fedosin (mfedosin) wrote on 2015-09-17:

cve-2015-5251-stable-kilo.patch Edit (9.1 KiB, text/plain)

Revision history for this message

Mike Fedosin (mfedosin) wrote on 2015-09-17:

https://review.fuel-infra.org/#/c/11735/

Mike Fedosin (mfedosin) on 2015-09-17

Changed in mos:
status:	New → Confirmed

Revision history for this message

Mike Fedosin (mfedosin) wrote on 2015-09-17:

Fixes for stable branches
MOS 6.1: https://review.fuel-infra.org/#/c/11757/
MOS 6.0-updates: https://review.fuel-infra.org/#/c/11759/
MOS 5.1.1-updates: https://review.fuel-infra.org/#/c/11760/
MOS 5.1-updates: https://review.fuel-infra.org/#/c/11761/

Changed in mos:
status:	Confirmed → Fix Committed

Vitaly Sedelnik (vsedelnik) on 2015-10-29

information type:

Private Security → Public Security

Revision history for this message

Sergii Rizvan (srizvan) wrote on 2015-10-29:

Verified https://review.fuel-infra.org/#/c/11760/ on MOS 5.1.1

api: '1.0'
astute_sha: ef8aa0fd0e3ce20709612906f1f0551b5682a6ce
auth_required: true
build_id: 2014-12-03_01-07-36
build_number: '48'
feature_groups:
- mirantis
fuellib_sha: a3043477337b4a0a8fd166dc83d6cd5d504f5da8
fuelmain_sha: 7626c5aeedcde77ad22fc081c25768944697d404
nailgun_sha: 500e36d08a45dbb389bf2bd97673d9bff48ee84d
ostf_sha: 64cb59c681658a7a55cc2c09d079072a41beb346
production: docker
release: 5.1.1
release_versions:
  2014.1.3-5.1.1:
    VERSION:
      api: '1.0'
      astute_sha: ef8aa0fd0e3ce20709612906f1f0551b5682a6ce
      build_id: 2014-12-03_01-07-36
      build_number: '48'
      feature_groups:
      - mirantis
      fuellib_sha: a3043477337b4a0a8fd166dc83d6cd5d504f5da8
      fuelmain_sha: 7626c5aeedcde77ad22fc081c25768944697d404
      nailgun_sha: 500e36d08a45dbb389bf2bd97673d9bff48ee84d
      ostf_sha: 64cb59c681658a7a55cc2c09d079072a41beb346
      production: docker
      release: 5.1.1

Steps to reproduce problem before and after applying patch: http://paste.openstack.org/show/477639/

Revision history for this message

Sergii Rizvan (srizvan) wrote on 2015-10-30:

Verified https://review.fuel-infra.org/#/c/11759/ on MOS 6.0

api: '1.0'
astute_sha: 16b252d93be6aaa73030b8100cf8c5ca6a970a91
auth_required: true
build_id: 2014-12-26_14-25-46
build_number: '58'
feature_groups:
- mirantis
fuellib_sha: fde8ba5e11a1acaf819d402c645c731af450aff0
fuelmain_sha: 81d38d6f2903b5a8b4bee79ca45a54b76c1361b8
nailgun_sha: 5f91157daa6798ff522ca9f6d34e7e135f150a90
ostf_sha: a9afb68710d809570460c29d6c3293219d3624d4
production: docker
release: '6.0'
release_versions:
  2014.2-6.0:
    VERSION:
      api: '1.0'
      astute_sha: 16b252d93be6aaa73030b8100cf8c5ca6a970a91
      build_id: 2014-12-26_14-25-46
      build_number: '58'
      feature_groups:
      - mirantis
      fuellib_sha: fde8ba5e11a1acaf819d402c645c731af450aff0
      fuelmain_sha: 81d38d6f2903b5a8b4bee79ca45a54b76c1361b8
      nailgun_sha: 5f91157daa6798ff522ca9f6d34e7e135f150a90
      ostf_sha: a9afb68710d809570460c29d6c3293219d3624d4
      production: docker
      release: '6.0'

Steps to reproduce problem before and after applying patch: http://paste.openstack.org/show/477639/

Alexey Galkin (agalkin) on 2015-11-03

tags:

added: glance

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-11:

Steps to reproduce:
1. ssh to one of controllers and run command:
curl -X PUT http://192.168.0.2:9292/v1/images/<image_id> -H 'X-Auth-Token: <token>' -H 'x-image-meta-status: queued'
2. Check image status.
If image status changed, then bug is reproduced

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-13:

Verified on 5.1.1

Revision history for this message

Alexey Galkin (agalkin) wrote on 2015-11-17:

verified on:
    VERSION:
      api: '1.0'
      astute_sha: 959b06c5ef8143125efd1727d350c050a922eb12
      build_id: '168'
      build_number: '168'
      feature_groups:
      - mirantis
      fuel-agent_sha: 2750600e946e96701099dfef5a7d69017f2e9956
      fuel-createmirror_sha: e34a0dd080fe6c133bcc75a00c31b27934ba51bc
      fuel-library_sha: 0d210dc3851ac6c74b3914ef4df0139defc8d117
      fuel-nailgun-agent_sha: 3e9d17211d65c80bf97c8d83979979f6c7feb687
      fuel-nailgun_sha: a5f4c44d08715f3be6b200a69032b30d347ac911
      fuel-ostf_sha: 9690a2de829d3b063ed1e64b0b10dde39f711dc0
      fuel-upgrade_sha: 1e894e26d4e1423a9b0d66abd6a79505f4175ff6
      fuelmain_sha: 266f9b374934c64629a84b5146632cc0de70ac91
      fuelmenu_sha: 06bbcebed6c8d0b0f9279e2997d2f958c800e98c
      network-checker_sha: a57e1d69acb5e765eb22cab0251c589cd76f51da
      openstack_version: 2015.1.0-8.0
      production: docker
      python-fuelclient_sha: e685d68c1c0d0fa0491a250f07d9c3a8d0f9608c
      release: '8.0'
      shotgun_sha: 25dd78a3118267e3616df0727ce746e7dead2d67

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-27:

Verified on 6.0
packages:
glance-api,glance-common,glance-registry
version:
1:2014.2-fuel6.0~mira20

Revision history for this message

Alexey Galkin (agalkin) wrote on 2015-12-01:

#10

verified:

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "7.0"
  openstack_version: "2015.1.0-7.0"
  api: "1.0"
  build_number: "301"
  build_id: "301"
  nailgun_sha: "4162b0c15adb425b37608c787944d1983f543aa8"
  python-fuelclient_sha: "486bde57cda1badb68f915f66c61b544108606f3"
  fuel-agent_sha: "50e90af6e3d560e9085ff71d2950cfbcca91af67"
  fuel-nailgun-agent_sha: "d7027952870a35db8dc52f185bb1158cdd3d1ebd"
  astute_sha: "6c5b73f93e24cc781c809db9159927655ced5012"
  fuel-library_sha: "5d50055aeca1dd0dc53b43825dc4c8f7780be9dd"
  fuel-ostf_sha: "2cd967dccd66cfc3a0abd6af9f31e5b4d150a11c"
  fuelmain_sha: "a65d453215edb0284a2e4761be7a156bb5627677"