CVE-2012-4573, CVE-2012-5482 – Authentication bypass for image deletion

OpenStack Security Advisory: 2012-017 (ERRATA 1)

CVE: CVE-2012-4573, CVE-2012-5482
Date: November 9, 2012
Title: Authentication bypass for image deletion
Impact: High
Reporter: Gabe Westmaas (Rackspace)
Products: Glance
Affects: Essex, Folsom, Grizzly

Description:

Gabe Westmaas from Rackspace reported a vulnerability in Glance
authentication of image deletion requests. Authenticated users may be
able to delete arbitrary, non-protected images from Glance servers. All
Folsom and Grizzly deployments are affected. Additionally, Essex
deployments that use the delayed_delete option are also affected.

Fixes:

Grizzly:

Folsom:

Essex:

References:

Notes:

This fix will be included in the grizzly-1 development milestone and in
a future 2012.2 (Folsom) release.

OSSA History:

2012-11-09 – Errata 1
– Updated to reflect that the v2 API in Folsom and Grizzly was also
affected
– Include links to fixes for the v2 API
– Added CVE-2012-5482 for the vulnerability against the v2 API
2012-11-07 – Original Version

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>