A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw.
Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Affects: 2015.1.0 versions through 2015.1.1
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo and master on the public disclosure date.
Created attachment 1061407 [details]
Created attachment 1061408 [details]
Red Hat would like to thank the OpenStack team for reporting this issue. Upstream acknowledges Eric Harney (Red Hat) as the original reporter.
This issue has been addressed in the following products:
OpenStack 7 For RHEL 7
Via RHSA-2015:1639 https://access.redhat.com/errata/RHSA-2015:1639
Created openstack-glance tracking bugs for this issue:
Affects: openstack-rdo [bug 1254397]