atom feed1 message in net.launchpad.lists.openstack[Openstack] [OSSA 2012-017.1] Authent...
FromSent OnAttachments
Russell BryantNov 9, 2012 6:08 am 
Subject:[Openstack] [OSSA 2012-017.1] Authentication bypass for image deletion (CVE-2012-4573, CVE-2012-5482) ERRATA 1
From:Russell Bryant (rbry@redhat.com)
Date:Nov 9, 2012 6:08:06 am
List:net.launchpad.lists.openstack

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

OpenStack Security Advisory: 2012-017 (ERRATA 1) CVE: CVE-2012-4573, CVE-2012-5482 Date: November 9, 2012 Title: Authentication bypass for image deletion Impact: High Reporter: Gabe Westmaas (Rackspace) Products: Glance Affects: Essex, Folsom, Grizzly

Description: Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. All Folsom and Grizzly deployments are affected. Additionally, Essex deployments that use the delayed_delete option are also affected.

Fixes: Grizzly:

https://github.com/openstack/glance/commit/6ab0992e5472ae3f9bef0d2ced41030655d9d2bc

https://github.com/openstack/glance/commit/b591304b8980d8aca8fa6cda9ea1621aca000c88 2012.2 (Folsom):

https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe99795f6f6

https://github.com/openstack/glance/commit/fc0ee7623ec59c87ac6fc671e95a9798d6f2e2c3 2012.1 (Essex):

https://github.com/openstack/glance/commit/efd7e75b1f419a52c7103c7840e24af8e5deb29d

References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5482 https://bugs.launchpad.net/glance/+bug/1065187 https://bugs.launchpad.net/glance/+bug/1076506

Notes: This fix will be included in the grizzly-1 development milestone and in a future 2012.2 (Folsom) release.

OSSA History: 2012-11-09 - Errata 1 - Updated to reflect that the v2 API in Folsom and Grizzly was also affected - Include links to fixes for the v2 API - Added CVE-2012-5482 for the vulnerability against the v2 API 2012-11-07 - Original Version

iEYEARECAAYFAlCdDmIACgkQFg9ft4s9SAa7OgCgp5T7I/jtch2w4X+M4WXiRZIk sswAn10Oloak4YK3pyvHUlUXVPDN9C8K =5JZI -----END PGP SIGNATURE-----