[PKG-Openstack-devel] Bug#799931: CVE-2015-5251: (OSSA 2015-019) Glance image status manipulation
Thomas Goirand
zigo at debian.org
Thu Sep 24 12:55:34 UTC 2015
Source: glance
Version: 2014.1.3-12
Severity: important
Tags: security patch
OSSA-2015-019: Glance image status manipulation
===============================================
:Date: September 22, 2015
:CVE: CVE-2015-5251
Affects
~~~~~~~
- Glance: <=2014.2.3, >=2015.1.0, <=2015.1.1
Description
~~~~~~~~~~~
Hemanth Makkapati of Rackspace reported a vulnerability in Glance. By
submitting a HTTP PUT request with a "x-image-meta-status" header, a
tenant can manipulate the status of their images. A malicious tenant
may exploit this flaw to reactivate disabled images, bypass storage
quotas and in some cases replace image contents. Setups using the
Glance v1 API allow the illegal modification of image status. Setups
which also use the v2 API may allow a subsequent re-upload of image
contents.
Patches
~~~~~~~
- https://review.openstack.org/226338 (Juno)
- https://review.openstack.org/226337 (Kilo)
- https://review.openstack.org/226336 (Liberty)
Credits
~~~~~~~
- Hemanth Makkapati from Rackspace (CVE-2015-5251)
References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1482371
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5251
Notes
~~~~~
- This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo)
releases.
More information about the Openstack-devel
mailing list