Описание
A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.
Отчет
You must be using Ceph as a backend to be affected by this flaw. As this flaw would involve significant architectural changes, the impact is moderate. A fix will not be produced for Red Hat OpenStack Platform 16.2 and older releases. If you are concerned about the risk of this flaw against your environment, please follow guidance in the mitigation section, but understand this comes with performance tradeoffs.
Меры по смягчению последствий
There are two options:
- Manually disable the show_multiple_locations configuration setting (change it to false).
- Keep show_multiple_locations enabled, but restrict the glance-api service from being exposed directly to end users. Refer the upstream OSSN listed in the external references section for further details.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenStack Platform 13 (Queens) | openstack-glance | Will not fix | ||
| Red Hat OpenStack Platform 16.1 | openstack-glance | Will not fix | ||
| Red Hat OpenStack Platform 16.2 | openstack-glance | Fix deferred | ||
| Red Hat OpenStack Platform 17.0 | openstack-glance | Fix deferred |
Показывать по
Дополнительная информация
Статус:
4.8 Medium
CVSS3
Связанные уязвимости
A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.
A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.
A flaw was found in openstack-glance. This issue could allow a remote, ...
OpenStack Glance Inclusion of Functionality from Untrusted Control Sphere vulnerability
4.8 Medium
CVSS3