OpenStack Security Advisory: 2012-017 CVE: CVE-2012-4573 Date: November 7, 2012 Title: Authentication bypass for image deletion Impact: High Reporter: Gabe Westmaas (Rackspace) Products: Glance Affects: Essex, Folsom, Grizzly Description: Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. Only Folsom/Grizzly deployments that expose the v1 API are affected by this vulnerability. Additionally, Essex deployments that use the delayed_delete option are also affected. Fixes: Grizzly: https://github.com/openstack/glance/commit/6ab0992e5472ae3f9bef0d2ced41030655d9d2bc 2012.2 (Folsom): https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe99795f6f6 2012.1 (Essex): https://review.openstack.org/#/c/15562/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4573 https://bugs.launchpad.net/glance/+bug/1065187 Notes: This fix will be included in the grizzly-1 development milestone and in a future 2012.2 (Folsom) release. -- Russell Bryant OpenStack Vulnerability Management Team