yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1226078] Re: Glance allows user to create images and add other tenants as members (CVE-2013-4354)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 26 Sep 2013 08:26:51 -0000
Reply-to: Bug 1226078 <1226078@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is what OSSNs (security notes) have been designed to solve --
informing the public of security best practices around OpenStack, when
patching the code does not fully address all concerns.

My suggestion would be for an OSSN to mention the potential image
sneaking in previous versions, and to encourage people to run havana
glance with enable_v1_api=False if they can ?

** Also affects: ossn
   Importance: Undecided
       Status: New

** Changed in: glance
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1226078

Title:
  Glance allows user to create images and add other tenants as members
  (CVE-2013-4354)

Status in OpenStack Image Registry and Delivery Service (Glance):
  Invalid
Status in OpenStack Security Advisories:
  Incomplete
Status in OpenStack Security Notes:
  New

Bug description:
  It's well known that Glance does not perform any check on tenants.
  This has been a behavior we kept as-is to avoid increasing requests
  needed in the image management process, however, after some tests, I
  think this behavior can be a security issue.

  Scenario:
  - Create an image using user1
  - Pick tenant's id of user2 and add it as a member of the image user1 just created
  - Use user2 to list images. This will list the image user1 created.

  I think this is an issue because it allows user from other tenants to
  sneak images with a backdoor to other tenants.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1226078/+subscriptions