Bug 1008615 (CVE-2013-4354)
Summary: | CVE-2013-4354 OpenStack: Glance image creation in other tenant accounts | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, chrisw, dallan, eglynn, fpercoco, gkotton, hateya, kseifried, lhh, markmc, nkinder, rbryant, sclewis, security-response-team, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-04 05:57:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1004254, 1008667, 1008668, 1008669 | ||
Bug Blocks: |
Description
Kurt Seifried
2013-09-16 17:16:30 UTC
This was discussed upstream. The analysis seems to be: * this is actually a feature which has been present since the Glance version 1.0 API * retroactively fixing this would break previous expected behavior which has beneficial uses * this has been resolved in the version 2.1 API via a two-step process: a user can create an image for another tenant, which then goes in to a 'pending state' and must be accepted by the other tenant in order to be used. The risks associated with fixing this bug in OpenStack 3.0 are greater than its security impact as it would require default behavior to be changed. A future release of OpenStack may address this issue. As Lon mentioned, this was discussed upstream and a OSSN[0] was recently released. I propose closing this bug as 'won't fix' based on the points raised by Lon, since this is not present in API v2 and will be fully supported by the client as part of Icehouse - RHOS 5.0. [0] https://bugs.launchpad.net/ossn/+bug/1226078/comments/11 (In reply to Flavio Percoco from comment #4) > I propose closing this bug as 'won't fix' based on the points raised by Lon, > since this is not present in API v2 and will be fully supported by the > client as part of Icehouse - RHOS 5.0. Kurt, any objections to fpercoco's plan here? |