Bug 1174474 (CVE-2014-9493) - CVE-2014-9493 openstack-glance: unrestricted path traversal flaw
Summary: CVE-2014-9493 openstack-glance: unrestricted path traversal flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9493
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1174907 (view as bug list)
Depends On: 1174477 1174478 1174482 1174483 1174484 1174485
Blocks: 1174476
TreeView+ depends on / blocked
 
Reported: 2014-12-15 22:02 UTC by Vincent Danen
Modified: 2021-02-17 05:53 UTC (History)
32 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.
Clone Of:
Environment:
Last Closed: 2015-02-19 21:33:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0246 0 normal SHIPPED_LIVE Important: openstack-glance security update 2015-02-20 02:09:51 UTC

Description Vincent Danen 2014-12-15 22:02:43 UTC 
Title: Glance v2 API unrestricted path traversal
Reporter: Masahito Muroi (NTT)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Note:
A potential mitigation strategy available for operators is to change the glance policy to restrict access to administrators for get_image_location, set_image_location, and delete_image_location. An example patch to be applied to /etc/glance/policy.json is attached.

References:
https://launchpad.net/bugs/1400966

Mitigation policy patch:

diff --git a/etc/policy.json b/etc/policy.json
index 325f00b..a797f12 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -13,9 +13,9 @@
     "download_image": "",
     "upload_image": "",
 
-    "delete_image_location": "",
-    "get_image_location": "",
-    "set_image_location": "",
+    "delete_image_location": "role:admin",
+    "get_image_location": "role:admin",
+    "set_image_location": "role:admin",
 
     "add_member": "",
     "delete_member": "",
Comment 1 Vincent Danen 2014-12-15 22:06:04 UTC 
Created openstack-glance tracking bugs for this issue:

Affects: fedora-all [bug 1174477]
Affects: openstack-rdo [bug 1174478]
Comment 4 Vincent Danen 2014-12-18 18:01:44 UTC 
Upstream patch:

https://review.openstack.org/#/q/I72dbead3cb2dcb87f52658ddb880e26880cc229b,n,z
Comment 5 Vincent Danen 2014-12-18 18:02:44 UTC 
Note that this was disclosed Dec 15 and is still waiting on a CVE assignment:

http://www.openwall.com/lists/oss-security/2014/12/15/8
Comment 6 Lon Hohberger 2014-12-23 16:44:38 UTC 
We have patches ready here; do we wait for a CVE assignment for tracking or not?
Comment 7 Garth Mollett 2015-01-08 05:27:21 UTC 
Upstream fixes are incomplete. They only block the file:// uri leaving other options (at least filesystem://) that still allow access to files.

See:

https://bugs.launchpad.net/glance/+bug/1400966/comments/44
Comment 8 Garth Mollett 2015-01-08 21:30:07 UTC 
(In reply to Garth Mollett from comment #7)
> Upstream fixes are incomplete. They only block the file:// uri leaving other
> options (at least filesystem://) that still allow access to files.
> 
> See:
> 
> https://bugs.launchpad.net/glance/+bug/1400966/comments/44

New upstream bug:
https://bugs.launchpad.net/ossa/+bug/1408663
Comment 9 Flavio Percoco 2015-01-12 11:27:27 UTC 
*** Bug 1174907 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2015-02-19 21:10:03 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7
  OpenStack 4 for RHEL 6

Via RHSA-2015:0246 https://rhn.redhat.com/errata/RHSA-2015-0246.html
Note You need to log in before you can comment on or make changes to this bug.