atom feed1 message in net.launchpad.lists.openstack[Openstack] [OSSA 2012-017.1] Authent...
FromSent OnAttachments
Russell BryantNov 9, 2012 6:08 am 
Subject:[Openstack] [OSSA 2012-017.1] Authentication bypass for image deletion (CVE-2012-4573, CVE-2012-5482) ERRATA 1
From:Russell Bryant (
Date:Nov 9, 2012 6:08:29 am


OpenStack Security Advisory: 2012-017 (ERRATA 1) CVE: CVE-2012-4573, CVE-2012-5482 Date: November 9, 2012 Title: Authentication bypass for image deletion Impact: High Reporter: Gabe Westmaas (Rackspace) Products: Glance Affects: Essex, Folsom, Grizzly

Description: Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. All Folsom and Grizzly deployments are affected. Additionally, Essex deployments that use the delayed_delete option are also affected.

Fixes: Grizzly: 2012.2 (Folsom): 2012.1 (Essex):


Notes: This fix will be included in the grizzly-1 development milestone and in a future 2012.2 (Folsom) release.

OSSA History: 2012-11-09 - Errata 1 - Updated to reflect that the v2 API in Folsom and Grizzly was also affected - Include links to fixes for the v2 API - Added CVE-2012-5482 for the vulnerability against the v2 API 2012-11-07 - Original Version

iEYEARECAAYFAlCdDmIACgkQFg9ft4s9SAa7OgCgp5T7I/jtch2w4X+M4WXiRZIk sswAn10Oloak4YK3pyvHUlUXVPDN9C8K =5JZI -----END PGP SIGNATURE-----