[OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212)

30 Jan 2013

Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator's Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.

Grizzly (development branch) fix:
http://github.com/openstack/glance/commit/e96273112b5b5da58d970796b7cfce04c5...

Folsom fix (included in upcoming Glance 2012.2.3 stable update):
http://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed9...

Essex fix:
http://github.com/openstack/glance/commit/37d4d96bf88c2bf3e7e9511b5e321cf4be...

References:
https://bugs.launchpad.net/glance/+bug/1098962
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0212

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRCCvqAAoJEFB6+JAlsQQj9scP/1bQzhQ5lA/jNoPIPMlUKOr4
NlrT9+QA6pF3xOjTQeyViTTUfMn1YHdOTS8bi/NeSlL3UuEhpdCb59APwqmZva3u
Tx+so6L3nc5qNRdDAAr6oNBYmD08T41ceLpzjv9BbTgPxD4gUCg9WeySBAa+I7MU
1w1hvhObhQWZ8Xvqf/2tKTrMpGuJOS/0aoMSQUMqFR47moyYgBznNT6J3FaC3haE
jRh4RSv7XKN2MU0Cv05m/txXNUTP6rtl+qAiGW9UZvhTHY/kafaJLi/HuGkmANf0
fkuoKL5VxFYoIbHDlJ+ymPUz/jgoZJNkvvmS5mQH7YFBdgAvzAIAYJ4jk8uOMMmo
AHqaVdfZYCWRP6pMDzjnU5EGhRrgt2RafWsnU8MyYePrF3G8dcikvQlIki+PlmPT
+zXjPoIsirFJh3XSTRNbUDwIww6AuBbhxgJD78NhQY/12MC5zELOasWcpTKPyvLs
HTIe8AbVLf5Z0blZdUZHGlzFBQlgPU3ydIjY1UStWPYNCQs2hTrtoq9y68LmDzix
jRQ3jmKhMGsLwlrcskSyD/1qGGD6NNPRJwME7pXspy7mBlN0LS9OLRwhYHTzNGwx
YTSKhy12xooqYkaJncZEduTBKwMJLMwk/HZxD7KRuKPM7xoK64mkyz/03rUsQORj
na6Kqw9rcPfJG0jfh3/c
=PyUp
-----END PGP SIGNATURE-----

Thierry Carrez

tags

participants (1)