Bug 1181533 (CVE-2015-1195)

Summary: CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, aortega, apevec, ayoung, bfilippov, chrisw, dallan, eglynn, fpercoco, gkotton, gmollett, itamar, jobernar, jonathansteffan, jose.castro.leon, karlthered, lhh, lpeer, markmc, mlvov, mmagr, ndipanov, nsantos, p, rbryant, rk, sclewis, vkaigoro, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the fix for CVE-2014-9493 was incomplete: an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-19 21:58:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1174476    

Description Martin Prpič 2015-01-13 10:53:25 UTC 
Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (EMC)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

Description:
Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

References:
https://launchpad.net/bugs/1408663

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Jin Liu of EMC as the original reporter.
Comment 1 Martin Prpič 2015-01-13 10:55:03 UTC 
CVE request: http://seclists.org/oss-sec/2015/q1/124
Comment 4 Garth Mollett 2015-02-19 21:56:09 UTC 
Statement:

The fix for CVE-2014-9493 is complete and openstack-glance for Red Hat Enterprise Linux Open Stack Platform 4.0 and 5.0 is not affected by this issue.

This issue did not affect the version of openstack-glance as shipped with Red Hat Enterprise Linux Open Stack Platform 6.0.