Bug 1434244 – CVE-2017-7200 openstack-glance: API v1 copy_from reveals network details

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1434244 - (CVE-2017-7200) CVE-2017-7200 openstack-glance: API v1 copy_from reveals network details

Summary:	CVE-2017-7200 openstack-glance: API v1 copy_from reveals network details

Status:	CLOSED WONTFIX

Aliases:	CVE-2017-7200

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170315,repor...
Keywords:	Security

Depends On:	1436509 1436510 1436511 1436512
Blocks:	1432713
	Show dependency tree / graph

Reported:	2017-03-21 01:31 EDT by Summer Long
Modified:	2017-05-07 23:45 EDT (History)
CC List:	19 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	The copy_from feature in Image Service API v1 allows an attacker to perform masked network port scans. It is possible to create images with a URL such as 'http://localhost:22'. This could allow an attacker to enumerate internal network details while appearing masked, because the scan appears to originate from the Image Service. This is classified as a Server-Side Request Forgery (SSRF). Note: Some knowledge of the internal network might be necessary to exploit this flaw internally (apart from localhost).
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-05-07 23:45:01 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Summer Long 2017-03-21 01:31:24 EDT

The copy_from feature in Image Service API v1 allowed an attacker to perform masked network port scans. It was possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance image service.

Comment 1 Summer Long 2017-03-21 01:31:39 EDT

External References:

https://wiki.openstack.org/wiki/OSSN/OSSN-0078
https://bugs.launchpad.net/ossn/+bug/1606495
https://bugs.launchpad.net/ossn/+bug/1153614

Comment 12 Summer Long 2017-05-07 22:28:02 EDT

Statement:

Because the Image Service APIv1 was deprecated in Newton and because a workaround is possible, no fix is being made available.

For impacted products and the recommended mitigation, see the Knowledge Base article for this issue:
https://access.redhat.com/security/vulnerabilities/2999581

Note You need to log in before you can comment on or make changes to this bug.