[openstack-announce] [OSSA 2013-027] Glance image_download policy not enforced for cached images (CVE-2013-4428)

Thierry Carrez thierry at openstack.org
Tue Oct 22 15:29:57 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-027
CVE: CVE-2013-4428
Date: October 22, 2013
Title: Glance image_download policy not enforced for cached images
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: Grizzly, Folsom (and earlier versions)

Description:
Stuart McLaren from HP reported a vulnerability in Glance download_image
policy enforcement in the case of cached images. Deployers may opt to
set a download_image policy to restrict image download to specific
roles. However, when an image is previously cached by an authorized
download, any authenticated user could download image contents if it can
determine the image UUID, bypassing any download_image policy
restrictions. This could result in disclosure of image contents that
were thought to be protected by the download_image policy setting. Only
setups making use of the download_image policy are affected.

The Havana release (2013.2) is not affected.

Grizzly fix (included in 2013.1.4 recent release):
https://review.openstack.org/#/c/50103/

Folsom fix:
https://review.openstack.org/#/c/50860/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4428
https://bugs.launchpad.net/glance/+bug/1235378

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSZpnsAAoJEFB6+JAlsQQjOpMQAMFKO3bARjWRONmB+MjllfYj
VMouesgWTzzuak2PlPHjdfdr0HEzCSUqvaVUKaW2V2+3CogEONs/Wtlrw75WBM0p
FqqkFQjlymR/CuB3GtspqkrDGerH4+zOoNE1jzwBZnmvSqunvfKz1jGKEatvMfQh
8rx7oMleUcAv/1+xrk48h+hdqwsjorIgdBkvaUwG/XbssfmYwbXeRYLDyk2zuoI5
tD0YiINQe+fe52HgZfpS9fpENteeUdTd5V2tS+ZhWNUD0b8FzxHvuiaseTSyjlNX
brTcFz1ryHJT3Ki3m/lGe3Xg/ZRuN0zl1XM1Y+EJ5BXVcJV6Ee6DxdoMYaDi5Leb
QSXeLchkBQxgvxs+Qn8cXlhtYKH7FWtWjsCPKvAJ5XBmtSbyVeiRd24/89PWUMZM
UfZ9mBV+AXTaWcN+HyN8xdytXST6wNgPr99IA9/Pcb1dvKLQY4KbdEqnxIGtlvSQ
Hh+VtIPYWsDbinpoeensYYLqpAA/e0WTnwU4PfHi/es+ezk6ZCiHbwvHaGPaKvhL
uSa/053iJby/bmYu5/vEfqgGrCUOB0sSBVTed1KlF8SmiMMwT7iYgLPUC36FN+io
W5CgdbqG+mYKAFpDUBbWI5Ss75QH+SkTCs2kakyybEx2X+MQ89U+X2VFcYEuoiQ6
wJ/pLl8ktLUERbo4uguT
=MZ6l
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list