[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)

Bug #1408663 reported by Thierry Carrez on 2015-01-08
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
Critical
Grant Murphy
Icehouse
Critical
Grant Murphy
Juno
Critical
Grant Murphy
OpenStack Security Advisory
Critical
Unassigned

Bug Description

Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the vulnerability for swift: and file: URI, but overlooked filesystem: URIs.

Please see bug 1400966 for historical reference.

CVE References

Thierry Carrez (ttx) on 2015-01-08
information type: Public → Public Security
Changed in ossa:
importance: Undecided → Critical
status: New → Confirmed
Thierry Carrez (ttx) wrote :
Changed in glance:
status: New → In Progress
importance: Undecided → Critical
Grant Murphy (gmurphy) wrote :
Changed in glance:
assignee: nobody → Grant Murphy (gmurphy)

Impact description draft #1:

Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (IBM)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Jin Liu from IBM reported that path traversal vulnerability in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Jeremy Stanley (fungi) wrote :

"2014.2 versions up to 2014.2.1" and "path traversal vulnerabilities in Glance were" but otherwise the proposed impact description looks good to me.

Jin Liu seems to be from EMC. Otherwise looks good. Could use a Glance coresec check though, adding them to the bug.

Changed in ossa:
status: Confirmed → Triaged

Reviewed: https://review.openstack.org/145640
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=a2d986b976e9325a272e2d422465165315d19fe6
Submitter: Jenkins
Branch: master

commit a2d986b976e9325a272e2d422465165315d19fe6
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663

Changed in glance:
status: In Progress → Fix Committed

@Jin Liu: we will credit EMC as your company, if it's ok for you, you might want to update your openstack community profile... see: http://www.openstack.org/community/members/profile/17173

Thanks for the review, here is the impact description draft #2:

Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (EMC)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

Description:
Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Reviewed: https://review.openstack.org/145916
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=5191ed1879c5fd5b2694f922bcedec232f461088
Submitter: Jenkins
Branch: stable/juno

commit 5191ed1879c5fd5b2694f922bcedec232f461088
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663
    (cherry picked from commit a2d986b976e9325a272e2d422465165315d19fe6)

Reviewed: https://review.openstack.org/145974
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
Submitter: Jenkins
Branch: stable/icehouse

commit 7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    (cherry picked from commit 5191ed1879c5fd5b2694f922bcedec232f461088)

    Conflicts:
     glance/common/store_utils.py

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663

Tristan's updated impact description in comment #8 looks good to me.

@Glance-coresec: can someone please confirm if the impact description in comment #8 is correct ?

I'm waiting for your approval before requesting a CVE, thanks in advance!

The impact description in comment #8 from Tristan, looks good to me.

The OSSA have been published without CVE, will switch the OSSA task to "fix released" once one is assigned and the errata is out.

summary: - Glance still allows users to download and delete any file in glance-api
- server
+ [OSSA-2015-002] Glance still allows users to download and delete any
+ file in glance-api server
Changed in ossa:
status: Triaged → In Progress
Jeremy Stanley (fungi) on 2015-01-18
summary: [OSSA-2015-002] Glance still allows users to download and delete any
- file in glance-api server
+ file in glance-api server (CVE-2015-1195)
Changed in ossa:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/147556
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=f6b1f51a54c7029f487972e6cbb7c9df98dda01d
Submitter: Jenkins
Branch: master

commit f6b1f51a54c7029f487972e6cbb7c9df98dda01d
Author: Tristan Cacqueray <email address hidden>
Date: Thu Jan 15 15:36:30 2015 +0000

    Adds OSSA-2015-002

    Related-Bug: #1408663
    Change-Id: Id36443b17f18a0f0cbcfd731c4fd50d8f2ffd9d1

Thierry Carrez (ttx) on 2015-02-05
Changed in glance:
milestone: none → kilo-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in glance:
milestone: kilo-2 → 2015.1.0

Change abandoned by Ian Cordasco (<email address hidden>) on branch: master
Review: https://review.openstack.org/150736
Reason: There's been no discussion of this since February. Zhi Yan Liu and I agree that this is a dangerous change, so I'm abandoning this for now. If this is something we want later on, we can always restore it.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers