Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 07 Nov 2012 17:10:07 -0500
From: Russell Bryant <rbryant@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2012-017] Authentication bypass for image deletion (CVE-2012-4573)

OpenStack Security Advisory: 2012-017
CVE: CVE-2012-4573
Date: November 7, 2012
Title: Authentication bypass for image deletion
Impact: High
Reporter: Gabe Westmaas (Rackspace)
Products: Glance
Affects: Essex, Folsom, Grizzly

Description:
Gabe Westmaas from Rackspace reported a vulnerability in Glance
authentication of image deletion requests. Authenticated users may be
able to delete arbitrary, non-protected images from Glance servers. Only
Folsom/Grizzly deployments that expose the v1 API are affected by this
vulnerability. Additionally, Essex deployments that use the
delayed_delete option are also affected.

Fixes:
Grizzly:
https://github.com/openstack/glance/commit/6ab0992e5472ae3f9bef0d2ced41030655d9d2bc
2012.2 (Folsom):
https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe99795f6f6
2012.1 (Essex): https://review.openstack.org/#/c/15562/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4573
https://bugs.launchpad.net/glance/+bug/1065187

Notes:
This fix will be included in the grizzly-1 development milestone and in
a future 2012.2 (Folsom) release.

-- 
Russell Bryant
OpenStack Vulnerability Management Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.