CVE-2014-9493

Published: 07 January 2015

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

Priority

Medium

Status

Package Release Status
glance
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:2014.1.4-0ubuntu1])
Patches:
Upstream: https://review.openstack.org/142788 (icehouse)
Upstream: https://review.openstack.org/142373 (juno)
Upstream: https://review.openstack.org/141706 (kilo)

Notes

AuthorNote
jdstrand
Per upstream, "A potential mitigation strategy available for
operators is to change the glance policy to restrict access to administrators
for get_image_location, set_image_location, and delete_image_location."
Ubuntu 12.04 LTS not affected (does not have V2 API)
preliminary packages for Ubuntu 14.04 LTS and 14.10 can be found in:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages
mdeslaur
This issue wasn't fully addressed by the original patches, see:
http://lists.openstack.org/pipermail/openstack-announce/2015-January/000323.html
incomplete fix got CVE-2015-1195

References

Bugs