Bug 902964 (CVE-2013-0212)

Summary: CVE-2013-0212 openstack-glance: Backend password leak in Glance error message
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, eglynn, jrusnack, markmc, ndipanov, rcvalle, rhos-maint, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130129,reported=20130122,source=distros,cvss2=4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N,openstack-1/openstack-glance=affected,openstack-2.0/openstack-glance=affected,fedora-17/openstack-glance=affected,fedora-18/openstack-glance=affected,epel-6/openstack-glance=affected,cwe=CWE-209
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 00:31:55 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 903032, 903033    
Bug Blocks: 902968    
Attachments:
Description Flags
essex-CVE-2013-0212.patch
none
folsom-CVE-2013-0212.patch
none
grizzly-CVE-2013-0212.patch none

Description Kurt Seifried 2013-01-22 15:03:03 EST
Thierry Carrez (thierry@openstack.org) reports on behalf of the OpenStack Project:

Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Products: Glance
Affects: All versions

Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator's Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series. Unless a flaw is discovered in them, these
proposed patches will be merged to Glance master, stable/folsom and
stable/essex branches on the public disclosure date.
Comment 1 Kurt Seifried 2013-01-22 15:05:56 EST
Created attachment 685412 [details]
essex-CVE-2013-0212.patch
Comment 2 Kurt Seifried 2013-01-22 15:06:13 EST
Created attachment 685413 [details]
folsom-CVE-2013-0212.patch
Comment 3 Kurt Seifried 2013-01-22 15:06:31 EST
Created attachment 685414 [details]
grizzly-CVE-2013-0212.patch
Comment 7 Murray McAllister 2013-01-29 01:16:03 EST
Acknowledgements:

This issue was discovered by Dan Prince of Red Hat.
Comment 8 Kurt Seifried 2013-01-29 13:24:42 EST
This is now public: https://bugs.launchpad.net/glance/+bug/1098962
Comment 9 errata-xmlrpc 2013-01-30 16:06:05 EST
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0209 https://rhn.redhat.com/errata/RHSA-2013-0209.html
Comment 10 Fedora Update System 2013-02-13 21:30:55 EST
openstack-glance-2012.2.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.