OSSA-2014-012: Remote code execution in Glance Sheepdog backend¶

Date:: April 10, 2014
CVE:: CVE-2014-0162

Affects¶

Glance: from 2013.2 to 2013.2.3

Description¶

Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog backend. By using a specially crafted location, a user allowed to insert or modify Glance image metadata may trigger code execution on the Glance host as the user the Glance service runs under. This may result in Glance host unauthorized access and further compromise of the Glance service. All setups using Glance server with the (enabled by default) sheepdog backend are affected.

Patches¶

https://review.openstack.org/#/c/86626 (Havana)
https://review.openstack.org/#/c/86625 (Icehouse)
https://review.openstack.org/#/c/86622 (Juno)

Credits¶

Paul McMillan from Nebula (CVE-2014-0162)

References¶

https://launchpad.net/bugs/1298698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0162

OSSA-2014-012: Remote code execution in Glance Sheepdog backend