[openstack-announce] [OSSA 2014-012] Remote code execution in Glance Sheepdog backend (CVE-2014-0162)

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Apr 10 17:20:04 UTC 2014


OpenStack Security Advisory: 2014-012
CVE: CVE-2014-0162
Date: April 10, 2014
Title: Remote code execution in Glance Sheepdog backend
Reporter: Paul McMillan (Nebula)
Products: Glance
Versions: from 2013.2 to 2013.2.3

Description:
Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog
backend. By using a specially crafted location, a user allowed to insert
or modify Glance image metadata may trigger code execution on the Glance
host as the user the Glance service runs under. This may result in
Glance host unauthorized access and further compromise of the Glance
service. All setups using Glance server with the (enabled by default)
sheepdog backend are affected.

Juno (development branch) fix:
https://review.openstack.org/86622

Icehouse (milestone-proposed branch) fix:
https://review.openstack.org/86625

Havana fix:
https://review.openstack.org/86626

Notes:
This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0162
https://launchpad.net/bugs/1298698

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140410/2ceff121/attachment.pgp>


More information about the OpenStack-announce mailing list