912007 – (CVE-2014-9493) VUL-0: CVE-2014-9493: openstack-glance: unrestricted path traversal flaw

Bug 912007 (CVE-2014-9493) - VUL-0: CVE-2014-9493: openstack-glance: unrestricted path traversal flaw

Summary: VUL-0: CVE-2014-9493: openstack-glance: unrestricted path traversal flaw

Status:	RESOLVED FIXED

Alias:	CVE-2014-9493

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2015-03-11
Assignee:	Ralf Haferkamp
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/112050/
Whiteboard:	maint:running:60917:important
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-01-07 08:55 UTC by Victor Pereira
Modified:	2016-04-27 19:23 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-01-07 08:55:18 UTC

CVE-2014-9493

Title: Glance v2 API unrestricted path traversal
Reporter: Masahito Muroi (NTT)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Note:
A potential mitigation strategy available for operators is to change the glance policy to restrict access to administrators for get_image_location, set_image_location, and delete_image_location. An example patch to be applied to /etc/glance/policy.json is attached.

References:
https://launchpad.net/bugs/1400966

Mitigation policy patch:

diff --git a/etc/policy.json b/etc/policy.json
index 325f00b..a797f12 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -13,9 +13,9 @@
     "download_image": "",
     "upload_image": "",
 
-    "delete_image_location": "",
-    "get_image_location": "",
-    "set_image_location": "",
+    "delete_image_location": "role:admin",
+    "get_image_location": "role:admin",
+    "set_image_location": "role:admin",
 
     "add_member": "",
     "delete_member": "",



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1174474
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9493

Comment 1 Swamp Workflow Management 2015-01-07 23:00:14 UTC

bugbot adjusting priority

Comment 2 Bernhard Wiedemann 2015-02-02 08:23:28 UTC

Are we even using the glance v2 API? otherwise we would not be affected

affected package would be openstack-glance

Comment 3 Vincent Untz 2015-02-02 08:42:40 UTC

(In reply to Bernhard Wiedemann from comment #2)
> Are we even using the glance v2 API? otherwise we would not be affected
> 
> affected package would be openstack-glance

Yes: https://github.com/crowbar/barclamp-glance/blob/release/stoney/master/chef/cookbooks/glance/templates/default/glance-api.conf.erb#L81

Comment 4 Johannes Segitz 2015-02-11 12:57:37 UTC

(In reply to Vincent Untz from comment #3)
Since we're affected: Could we please have a submit so we can include it in
https://swamp.suse.de/webswamp/swamp/template/DisplayWorkflow.vm/workflowid/60289

Comment 6 Bernhard Wiedemann 2015-03-03 14:20:18 UTC

update submitted

Comment 7 Swamp Workflow Management 2015-03-04 15:29:35 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60917

Comment 8 Ralf Haferkamp 2015-03-11 09:37:44 UTC

The patch from comment#0 , which we merged into the package is wrong. Is was intended as a mitigation fix for the problem until the real underlying issue was fixed. The real fixes are

For https://bugs.launchpad.net/glance/+bug/1400966 :
https://review.openstack.org/141706 (master)
https://review.openstack.org/142419 (juno)
https://review.openstack.org/142703 (icehouse)

and for https://bugs.launchpad.net/ossa/+bug/1408663 :
https://review.openstack.org/145640 (master)
https://review.openstack.org/145916 (juno)
https://review.openstack.org/145974 (icehouse)

All those have landed in the packages already and are even released already as part of:
https://download.suse.com/Download?buildid=Vf5KyaKV5y8~

I'll revert the change from https://build.suse.de/request/show/52594 there's nothing more needed to fix this bug.

Comment 9 Ralf Haferkamp 2015-03-23 09:13:54 UTC

The unneeded patch has been reverted. Nothing more to do here right now.