1252378 – (CVE-2015-5163) CVE-2015-5163 openstack-glance: Glance v2 API host file disclosure through qcow2 backing file

Bug 1252378 (CVE-2015-5163) - CVE-2015-5163 openstack-glance: Glance v2 API host file disclosure through qcow2 backing file

Summary: CVE-2015-5163 openstack-glance: Glance v2 API host file disclosure through qc...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-5163
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1253101 1254397
Blocks:	1252380
TreeView+	depends on / blocked

Reported:	2015-08-11 09:36 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:02 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw.
Clone Of:
Environment:
Last Closed:	2015-08-18 01:47:19 UTC

Attachments	(Terms of Use)
cve-2015-5163-master-liberty.patch (5.94 KB, text/plain) 2015-08-11 09:37 UTC, Vasyl Kaigorodov	no flags	Details
cve-2015-5163-stable-kilo.patch (6.04 KB, text/plain) 2015-08-11 09:37 UTC, Vasyl Kaigorodov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1639	0	normal	SHIPPED_LIVE	Important: openstack-glance security update	2015-08-18 05:25:23 UTC

Description Vasyl Kaigorodov 2015-08-11 09:36:18 UTC

Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0 versions through 2015.1.1

Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo and master on the public disclosure date.

Comment 1 Vasyl Kaigorodov 2015-08-11 09:37:16 UTC

Created attachment 1061407 [details]
cve-2015-5163-master-liberty.patch

Comment 2 Vasyl Kaigorodov 2015-08-11 09:37:19 UTC

Created attachment 1061408 [details]
cve-2015-5163-stable-kilo.patch

Comment 3 Vasyl Kaigorodov 2015-08-11 09:39:39 UTC

Acknowledgements:

Red Hat would like to thank the OpenStack team for reporting this issue. Upstream acknowledges Eric Harney (Red Hat) as the original reporter.

Comment 5 errata-xmlrpc 2015-08-18 01:25:33 UTC

This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2015:1639 https://access.redhat.com/errata/RHSA-2015:1639

Comment 6 Garth Mollett 2015-08-18 01:46:40 UTC

Created openstack-glance tracking bugs for this issue:

Affects: openstack-rdo [bug 1254397]

Note You need to log in before you can comment on or make changes to this bug.