Bug 945994 (CVE-2015-5251) - VUL-0: CVE-2015-5251: openstack-glance: Glance v1 API image status manipulation
Summary: VUL-0: CVE-2015-5251: openstack-glance: Glance v1 API image status manipulation
Status: RESOLVED FIXED
Alias: CVE-2015-5251
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2015-5251:6.0:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-16 07:21 UTC by Victor Pereira
Modified: 2016-08-16 08:25 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-16 07:21:07 UTC 
Hemanth Makkapati of Rackspace reported a vulnerability in
Glance. By submitting a HTTP PUT request with a
'x-image-meta-status' header, a tenant can manipulate the
status of their images. A malicious tenant may exploit this
flaw to reactivate disabled images, bypass storage quotas and
in some cases replace image contents. Setups using the Glance
v1 API allow the illegal modification of image status. Setups
which also use the v2 API may allow a subsequent re-upload of
image contents.
Comment 1 Victor Pereira 2015-09-16 07:27:19 UTC 
CRD: 2015-09-22, 1500UTC
Comment 5 Swamp Workflow Management 2015-09-16 22:00:36 UTC 
bugbot adjusting priority
Comment 6 Marcus Meissner 2015-09-30 13:21:49 UTC 
http://www.openwall.com/lists/oss-security/2015/09/22/9

is public

Date: Tue, 22 Sep 2015 12:19:04 -0700
From: Grant Murphy <grant.murphy@....com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2015-019] Glance image status manipulation (CVE-2015-5251)

===============================================
OSSA-2015-019: Glance image status manipulation
===============================================

:Date: September 22, 2015
:CVE: CVE-2015-5251


Affects
~~~~~~~
- Glance: <=2014.2.3, >=2015.1.0, <=2015.1.1


Description
~~~~~~~~~~~
Hemanth Makkapati of Rackspace reported a vulnerability in Glance. By
submitting a HTTP PUT request with a "x-image-meta-status" header, a
tenant can manipulate the status of their images. A malicious tenant
may exploit this flaw to reactivate disabled images, bypass storage
quotas and in some cases replace image contents. Setups using the
Glance v1 API allow the illegal modification of image status. Setups
which also use the v2 API may allow a subsequent re-upload of image
contents.


Patches
~~~~~~~
- https://review.openstack.org/226338 (Juno)
- https://review.openstack.org/226337 (Kilo)
- https://review.openstack.org/226336 (Liberty)


Credits
~~~~~~~
- Hemanth Makkapati from Rackspace (CVE-2015-5251)


References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1482371
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5251


Notes
~~~~~
- This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo)
  releases.
Comment 7 Dirk Mueller 2015-09-30 14:44:42 UTC 
The patches are already in our packages, added bugzilla/CVE reference. things are currently stuck in gating.
Comment 9 Vincent Untz 2015-10-12 08:33:09 UTC 
Submitted as mr#73641
Comment 10 Andreas Stieger 2016-01-13 12:37:14 UTC 
Releasing Cloud 5 update.

Not fixing openSUSE 13.1. Closing.
Comment 11 Swamp Workflow Management 2016-01-13 16:11:49 UTC 
SUSE-SU-2016:0101-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 945051,945994,947735
CVE References: CVE-2015-5251,CVE-2015-5286
Sources used:
SUSE OpenStack Cloud 5 (src):    openstack-glance-2014.2.4.juno-14.1, openstack-glance-doc-2014.2.4.juno-14.1