Issued:: 2014-04-30
Updated:: 2014-04-30

RHSA-2014:0455 - Security Advisory

Overview
Updated Packages

Synopsis

Important: openstack-glance security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated openstack-glance packages that fix one security issue are now
available for Red Hat Enterprise Linux OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

OpenStack Image service (glance) provides discovery, registration, and
delivery services for disk and server images. It provides the ability to
copy or snapshot a server image, and immediately store it away.
Stored images can be used as a template to get new servers up and running
quickly and more consistently than installing a server operating system and
individually configuring additional services.

It was found that Sheepdog, a distributed object storage system, did not
properly validate Sheepdog image URIs. A remote attacker able to insert or
modify glance image metadata could use this flaw to execute arbitrary
commands with the privileges of the user running the glance service.
Note that only OpenStack Image setups using the Sheepdog back end were
affected. (CVE-2014-0162)

Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Paul McMillan (Nebula) as the original reporter.

All users of openstack-glance are advised to upgrade to these updated
packages, which correct this issue. After installing the updated packages,
the running glance services will be restarted automatically.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

Red Hat OpenStack 4.0 x86_64

Fixes

BZ - 1085163 - CVE-2014-0162 openstack-glance: remote code execution in Glance Sheepdog backend

CVEs

CVE-2014-0162

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 4.0

SRPM
openstack-glance-2013.2.2-3.el6ost.src.rpm	SHA-256: 3b1060a546d2276896d9fb77978330db47ec0fc8ab89ee7a13835b9f284cced4
x86_64
openstack-glance-2013.2.2-3.el6ost.noarch.rpm	SHA-256: 1f21f41b362036523dbec32897bf3a362300d1aa68d2ccd1136ca6069ab99dec
openstack-glance-doc-2013.2.2-3.el6ost.noarch.rpm	SHA-256: 1c18e12a1fd946cfa79aab6181625257b5173f13c1521ccc4f2222d22b5f63d8
python-glance-2013.2.2-3.el6ost.noarch.rpm	SHA-256: f0facf6ce4eabe7fef91bdd3e48c287563f1fdf53601c7a4db78cf3432b8d051

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation