Bug 1434244 (CVE-2017-7200)

Summary: CVE-2017-7200 openstack-glance: API v1 copy_from reveals network details
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, cyril, eglynn, ekuvaja, fpercoco, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, rbryant, sclewis, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The copy_from feature in Image Service API v1 allows an attacker to perform masked network port scans. It is possible to create images with a URL such as 'http://localhost:22'. This could allow an attacker to enumerate internal network details while appearing masked, because the scan appears to originate from the Image Service. This is classified as a Server-Side Request Forgery (SSRF). Note: Some knowledge of the internal network might be necessary to exploit this flaw internally (apart from localhost).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-08 03:45:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1436509, 1436510, 1436511, 1436512    
Bug Blocks: 1432713    

Description Summer Long 2017-03-21 05:31:24 UTC 
The copy_from feature in Image Service API v1 allowed an attacker to perform masked network port scans. It was possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance image service.
Comment 1 Summer Long 2017-03-21 05:31:39 UTC 
External References:

https://wiki.openstack.org/wiki/OSSN/OSSN-0078
https://bugs.launchpad.net/ossn/+bug/1606495
https://bugs.launchpad.net/ossn/+bug/1153614
Comment 12 Summer Long 2017-05-08 02:28:02 UTC 
Statement:

Because the Image Service APIv1 was deprecated in Newton and because a workaround is possible, no fix is being made available.

For impacted products and the recommended mitigation, see the Knowledge Base article for this issue:
https://access.redhat.com/security/vulnerabilities/2999581