[OSSA 2013-002] glance image-download can display backend Swift password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Dan Prince | ||
Essex |
Fix Committed
|
High
|
Dan Prince | ||
Folsom |
Fix Released
|
High
|
Dan Prince | ||
Grizzly |
Fix Released
|
High
|
Dan Prince | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez |
Bug Description
Using the latest release of Glance Grizzly (git 2d9b3f1) on Fedora 17.
It appears that Glance can return a 404 message which contains the backend Swift store password when there are errors obtaining the image from Swift.
Example:
[root@nova1 image]# glance image-download foo
Request returned failure status.
404 Not Found
Swift could not find image at uri swift+http://
(HTTP 404)
----
The above could happen for any user that can access the Glance server.
A simple way to replicate this is to do something like this:
1) Setup Glance using Swift as a backend (single tenant mode).
2) Remove or block an image from the swift account where images are stored.
3) Attempt to download the same image (which you removed from Swift) from Glance.
---
The root cause of the issue appears to be that the Swift store can raise NotFound exceptions with the backend location URI in them.
CVE References
description: | updated |
information type: | Private Security → Public Security |
Changed in glance: | |
status: | Fix Committed → Fix Released |
summary: |
- glance image-download can display backend Swift password + [OSSA 2013-002] glance image-download can display backend Swift password |
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
status: | New → Fix Released |
Awesome ! glance-core, please +1 patches, i'll draft an impact statement for your reviewing pleasure.