[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Glance |
Critical
|
Grant Murphy | ||
| | Icehouse |
Critical
|
Grant Murphy | ||
| | Juno |
Critical
|
Grant Murphy | ||
| | OpenStack Security Advisory |
Critical
|
Unassigned | ||
Bug Description
Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the vulnerability for swift: and file: URI, but overlooked filesystem: URIs.
Please see bug 1400966 for historical reference.
CVE References
| information type: | Public → Public Security |
| Changed in ossa: | |
| importance: | Undecided → Critical |
| status: | New → Confirmed |
| Thierry Carrez (ttx) wrote : | #1 |
| Changed in glance: | |
| status: | New → In Progress |
| importance: | Undecided → Critical |
| Grant Murphy (gmurphy) wrote : | #2 |
Juno fix proposed at https:/
| Changed in glance: | |
| assignee: | nobody → Grant Murphy (gmurphy) |
Impact description draft #1:
Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (IBM)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
Description:
Jin Liu from IBM reported that path traversal vulnerability in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.
| Jeremy Stanley (fungi) wrote : | #4 |
"2014.2 versions up to 2014.2.1" and "path traversal vulnerabilities in Glance were" but otherwise the proposed impact description looks good to me.
Fix proposed to branch: stable/icehouse
Review: https:/
| Thierry Carrez (ttx) wrote : Re: Glance still allows users to download and delete any file in glance-api server | #6 |
Jin Liu seems to be from EMC. Otherwise looks good. Could use a Glance coresec check though, adding them to the bug.
| Changed in ossa: | |
| status: | Confirmed → Triaged |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit a2d986b976e9325
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
Change-Id: I02cd099a8634b9
Closes-Bug: #1408663
| Changed in glance: | |
| status: | In Progress → Fix Committed |
| Tristan Cacqueray (tristan-cacqueray) wrote : Re: Glance still allows users to download and delete any file in glance-api server | #8 |
@Jin Liu: we will credit EMC as your company, if it's ok for you, you might want to update your openstack community profile... see: http://
Thanks for the review, here is the impact description draft #2:
Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (EMC)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1
Description:
Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit 5191ed1879c5fd5
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
Change-Id: I02cd099a8634b9
Closes-Bug: #1408663
(cherry picked from commit a2d986b976e9325
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/icehouse
commit 7d3a1db33ccbd25
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
(cherry picked from commit 5191ed1879c5fd5
Conflicts:
glance/
Change-Id: I02cd099a8634b9
Closes-Bug: #1408663
| Jeremy Stanley (fungi) wrote : Re: Glance still allows users to download and delete any file in glance-api server | #12 |
Tristan's updated impact description in comment #8 looks good to me.
@Glance-coresec: can someone please confirm if the impact description in comment #8 is correct ?
I'm waiting for your approval before requesting a CVE, thanks in advance!
| Nikhil Komawar (nikhil-komawar) wrote : | #14 |
The impact description in comment #8 from Tristan, looks good to me.
| Tristan Cacqueray (tristan-cacqueray) wrote : Re: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server | #15 |
The OSSA have been published without CVE, will switch the OSSA task to "fix released" once one is assigned and the errata is out.
| summary: |
- Glance still allows users to download and delete any file in glance-api - server + [OSSA-2015-002] Glance still allows users to download and delete any + file in glance-api server |
| Changed in ossa: | |
| status: | Triaged → In Progress |
| summary: |
[OSSA-2015-002] Glance still allows users to download and delete any - file in glance-api server + file in glance-api server (CVE-2015-1195) |
| Changed in ossa: | |
| status: | In Progress → Fix Released |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit f6b1f51a54c7029
Author: Tristan Cacqueray <email address hidden>
Date: Thu Jan 15 15:36:30 2015 +0000
Adds OSSA-2015-002
Related-Bug: #1408663
Change-Id: Id36443b17f18a0
Fix proposed to branch: master
Review: https:/
| Changed in glance: | |
| milestone: | none → kilo-2 |
| status: | Fix Committed → Fix Released |
| Changed in glance: | |
| milestone: | kilo-2 → 2015.1.0 |
Change abandoned by Ian Cordasco (<email address hidden>) on branch: master
Review: https:/
Reason: There's been no discussion of this since February. Zhi Yan Liu and I agree that this is a dangerous change, so I'm abandoning this for now. If this is something we want later on, we can always restore it.
Master fix proposed at https:/