Date: Wed, 07 Nov 2012 17:10:07 -0500 From: Russell Bryant <rbryant@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2012-017] Authentication bypass for image deletion (CVE-2012-4573) OpenStack Security Advisory: 2012-017 CVE: CVE-2012-4573 Date: November 7, 2012 Title: Authentication bypass for image deletion Impact: High Reporter: Gabe Westmaas (Rackspace) Products: Glance Affects: Essex, Folsom, Grizzly Description: Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. Only Folsom/Grizzly deployments that expose the v1 API are affected by this vulnerability. Additionally, Essex deployments that use the delayed_delete option are also affected. Fixes: Grizzly: https://github.com/openstack/glance/commit/6ab0992e5472ae3f9bef0d2ced41030655d9d2bc 2012.2 (Folsom): https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe99795f6f6 2012.1 (Essex): https://review.openstack.org/#/c/15562/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4573 https://bugs.launchpad.net/glance/+bug/1065187 Notes: This fix will be included in the grizzly-1 development milestone and in a future 2012.2 (Folsom) release. -- Russell Bryant OpenStack Vulnerability Management Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.