-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-017 (ERRATA 1) CVE: CVE-2012-4573, CVE-2012-5482 Date: November 9, 2012 Title: Authentication bypass for image deletion Impact: High Reporter: Gabe Westmaas (Rackspace) Products: Glance Affects: Essex, Folsom, Grizzly Description: Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. All Folsom and Grizzly deployments are affected. Additionally, Essex deployments that use the delayed_delete option are also affected. Fixes: Grizzly: https://github.com/openstack/glance/commit/6ab0992e5472ae3f9bef0d2ced4103065... https://github.com/openstack/glance/commit/b591304b8980d8aca8fa6cda9ea1621ac... 2012.2 (Folsom): https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe99... https://github.com/openstack/glance/commit/fc0ee7623ec59c87ac6fc671e95a9798d... 2012.1 (Essex): https://github.com/openstack/glance/commit/efd7e75b1f419a52c7103c7840e24af8e... References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5482 https://bugs.launchpad.net/glance/+bug/1065187 https://bugs.launchpad.net/glance/+bug/1076506 Notes: This fix will be included in the grizzly-1 development milestone and in a future 2012.2 (Folsom) release. OSSA History: 2012-11-09 - Errata 1 - Updated to reflect that the v2 API in Folsom and Grizzly was also affected - Include links to fixes for the v2 API - Added CVE-2012-5482 for the vulnerability against the v2 API 2012-11-07 - Original Version - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCdDn0ACgkQFg9ft4s9SAaDMQCfec7E8Dc8kL0ILEgUT39nqWty npgAnRtJtgD7Zrtll9yBYA33egUnPdcj =P/7D -----END PGP SIGNATURE-----