Title: Glance v2 API unrestricted path traversal Reporter: Masahito Muroi (NTT) Products: Glance Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1 Description: Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. Note: A potential mitigation strategy available for operators is to change the glance policy to restrict access to administrators for get_image_location, set_image_location, and delete_image_location. An example patch to be applied to /etc/glance/policy.json is attached. References: https://launchpad.net/bugs/1400966 Mitigation policy patch: diff --git a/etc/policy.json b/etc/policy.json index 325f00b..a797f12 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -13,9 +13,9 @@ "download_image": "", "upload_image": "", - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", + "delete_image_location": "role:admin", + "get_image_location": "role:admin", + "set_image_location": "role:admin", "add_member": "", "delete_member": "",
Created openstack-glance tracking bugs for this issue: Affects: fedora-all [bug 1174477] Affects: openstack-rdo [bug 1174478]
Upstream patch: https://review.openstack.org/#/q/I72dbead3cb2dcb87f52658ddb880e26880cc229b,n,z
Note that this was disclosed Dec 15 and is still waiting on a CVE assignment: http://www.openwall.com/lists/oss-security/2014/12/15/8
We have patches ready here; do we wait for a CVE assignment for tracking or not?
Upstream fixes are incomplete. They only block the file:// uri leaving other options (at least filesystem://) that still allow access to files. See: https://bugs.launchpad.net/glance/+bug/1400966/comments/44
(In reply to Garth Mollett from comment #7) > Upstream fixes are incomplete. They only block the file:// uri leaving other > options (at least filesystem://) that still allow access to files. > > See: > > https://bugs.launchpad.net/glance/+bug/1400966/comments/44 New upstream bug: https://bugs.launchpad.net/ossa/+bug/1408663
*** Bug 1174907 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 OpenStack 4 for RHEL 6 Via RHSA-2015:0246 https://rhn.redhat.com/errata/RHSA-2015-0246.html