Bug 1174474 (CVE-2014-9493)

Summary: CVE-2014-9493 openstack-glance: unrestricted path traversal flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, abelopez, akscram, alexander.sakhnov, aortega, apevec, ayoung, bfilippov, chrisw, dallan, eglynn, fpercoco, gkotton, gmollett, itamar, jobernar, jonathansteffan, jose.castro.leon, jrusnack, karlthered, lhh, lpeer, markmc, mlvov, mmagr, ndipanov, nsantos, p, rbryant, rk, sclewis, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-19 21:33:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1174477, 1174478, 1174482, 1174483, 1174484, 1174485    
Bug Blocks: 1174476    

Description Vincent Danen 2014-12-15 22:02:43 UTC 
Title: Glance v2 API unrestricted path traversal
Reporter: Masahito Muroi (NTT)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Note:
A potential mitigation strategy available for operators is to change the glance policy to restrict access to administrators for get_image_location, set_image_location, and delete_image_location. An example patch to be applied to /etc/glance/policy.json is attached.

References:
https://launchpad.net/bugs/1400966

Mitigation policy patch:

diff --git a/etc/policy.json b/etc/policy.json
index 325f00b..a797f12 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -13,9 +13,9 @@
     "download_image": "",
     "upload_image": "",
 
-    "delete_image_location": "",
-    "get_image_location": "",
-    "set_image_location": "",
+    "delete_image_location": "role:admin",
+    "get_image_location": "role:admin",
+    "set_image_location": "role:admin",
 
     "add_member": "",
     "delete_member": "",
Comment 1 Vincent Danen 2014-12-15 22:06:04 UTC 
Created openstack-glance tracking bugs for this issue:

Affects: fedora-all [bug 1174477]
Affects: openstack-rdo [bug 1174478]
Comment 4 Vincent Danen 2014-12-18 18:01:44 UTC 
Upstream patch:

https://review.openstack.org/#/q/I72dbead3cb2dcb87f52658ddb880e26880cc229b,n,z
Comment 5 Vincent Danen 2014-12-18 18:02:44 UTC 
Note that this was disclosed Dec 15 and is still waiting on a CVE assignment:

http://www.openwall.com/lists/oss-security/2014/12/15/8
Comment 6 Lon Hohberger 2014-12-23 16:44:38 UTC 
We have patches ready here; do we wait for a CVE assignment for tracking or not?
Comment 7 Garth Mollett 2015-01-08 05:27:21 UTC 
Upstream fixes are incomplete. They only block the file:// uri leaving other options (at least filesystem://) that still allow access to files.

See:

https://bugs.launchpad.net/glance/+bug/1400966/comments/44
Comment 8 Garth Mollett 2015-01-08 21:30:07 UTC 
(In reply to Garth Mollett from comment #7)
> Upstream fixes are incomplete. They only block the file:// uri leaving other
> options (at least filesystem://) that still allow access to files.
> 
> See:
> 
> https://bugs.launchpad.net/glance/+bug/1400966/comments/44

New upstream bug:
https://bugs.launchpad.net/ossa/+bug/1408663
Comment 9 Flavio Percoco 2015-01-12 11:27:27 UTC 
*** Bug 1174907 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2015-02-19 21:10:03 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7
  OpenStack 4 for RHEL 6

Via RHSA-2015:0246 https://rhn.redhat.com/errata/RHSA-2015-0246.html