[OSSA 2013-027] Glance image_download policy not enforced for cached images (CVE-2013-4428)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-027 CVE: CVE-2013-4428 Date: October 22, 2013 Title: Glance image_download policy not enforced for cached images Reporter: Stuart McLaren (HP) Products: Glance Affects: Grizzly, Folsom (and earlier versions) Description: Stuart McLaren from HP reported a vulnerability in Glance download_image policy enforcement in the case of cached images. Deployers may opt to set a download_image policy to restrict image download to specific roles. However, when an image is previously cached by an authorized download, any authenticated user could download image contents if it can determine the image UUID, bypassing any download_image policy restrictions. This could result in disclosure of image contents that were thought to be protected by the download_image policy setting. Only setups making use of the download_image policy are affected. The Havana release (2013.2) is not affected. Grizzly fix (included in 2013.1.4 recent release): https://review.openstack.org/#/c/50103/ Folsom fix: https://review.openstack.org/#/c/50860/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4428 https://bugs.launchpad.net/glance/+bug/1235378 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSZpnsAAoJEFB6+JAlsQQjOpMQAMFKO3bARjWRONmB+MjllfYj VMouesgWTzzuak2PlPHjdfdr0HEzCSUqvaVUKaW2V2+3CogEONs/Wtlrw75WBM0p FqqkFQjlymR/CuB3GtspqkrDGerH4+zOoNE1jzwBZnmvSqunvfKz1jGKEatvMfQh 8rx7oMleUcAv/1+xrk48h+hdqwsjorIgdBkvaUwG/XbssfmYwbXeRYLDyk2zuoI5 tD0YiINQe+fe52HgZfpS9fpENteeUdTd5V2tS+ZhWNUD0b8FzxHvuiaseTSyjlNX brTcFz1ryHJT3Ki3m/lGe3Xg/ZRuN0zl1XM1Y+EJ5BXVcJV6Ee6DxdoMYaDi5Leb QSXeLchkBQxgvxs+Qn8cXlhtYKH7FWtWjsCPKvAJ5XBmtSbyVeiRd24/89PWUMZM UfZ9mBV+AXTaWcN+HyN8xdytXST6wNgPr99IA9/Pcb1dvKLQY4KbdEqnxIGtlvSQ Hh+VtIPYWsDbinpoeensYYLqpAA/e0WTnwU4PfHi/es+ezk6ZCiHbwvHaGPaKvhL uSa/053iJby/bmYu5/vEfqgGrCUOB0sSBVTed1KlF8SmiMMwT7iYgLPUC36FN+io W5CgdbqG+mYKAFpDUBbWI5Ss75QH+SkTCs2kakyybEx2X+MQ89U+X2VFcYEuoiQ6 wJ/pLl8ktLUERbo4uguT =MZ6l -----END PGP SIGNATURE-----
participants (1)
-
Thierry Carrez