OpenStack: Glance image creation in other tenant accounts (CVE-2013-4354)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With apologies, I was supposed to send this out yesterday but missed
it. I spoke with upstream and we agreed that making this public does
not present a major risk.

- From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4354

==========
Dafna Ron of Red Hat reports:

Description of problem:

when I try to create an image with tenant name and not tenant ID, the
image is not created and no errors are issued.
you simply cannot find the image.

Version-Release number of selected component (if applicable):

openstack-glance-2013.1.3-1.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. install AIO with local tgt storage (using packstack)
2. create a tenant and a user
3. create an image for the tenant using the tenant name
4. run glance image-list while logging in with user
5. run the same create command using tenant ID
6. run glance image-list while logging in with the user

Actual results:

image is no created with tenant name.
no errors or indicators that the image was not created.

Expected results:

image should be created with tenant name
if we decided not to allow create of image with tenant name we should
block the command from running with missing param error

========

Upon further investigation Flavio Percoco of Red Hat reports:

Ayal suggested this could also be a security issue. I went ahead and
tested current behavior and indeed, this behavior could be used to
inject images to other users.

Scenario:
- - Create an image using user1
- - Pick tenant's id of user2 and add it as a member of the image user1
just created
- - Use user2 to list images. This will list the image user1 created.

I think this is an issue because it allows user from other tenants to
sneak images with a backdoor to other tenants.
==========


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSO0fYAAoJEBYNRVNeJnmTrm4QAKP8lbvyPi6UbqGFDBcZbNcw
K8H9Qrg0IPR6P2cLJMpMN0RKkMlkPy7sHJZXx3Yg4ki2wJ39rq5/XyaMs0y3QvbX
OumUV9hw81CuODPbpT+n5qaIWShB2LWDUK5hOvezDAyjrQTt6F0BGvkDMFp8mEA5
IX074I5590GgrNRcr1YtJyRDEblP0Q6Xcm4Pla3ShuyH39Vj6TGQDhru5Pu/0WtU
9WrDmMC7koXLzcFPj3y7XUvhE6ftjlX/9Cnc8aYA+nLA4xMVlDPazprFmcf68pWc
VUWA6C2BtsQOA30tarzHSAdd0eKiGSQ7VqKhT0Kis8rrgA65EwXKZ8CecnVdTfy6
yTGINC18iBoqR4M9bRmVpDE5xawtM0cf1BUzZZEq3pGL6ZiuALWqhMjxXRFiWOaz
Lg+92OvopIBl+L0ncWXwC0IhBvmanBl4VzPItbNlMRmgyXLUNdlRuyDJzfWci6Z8
Uh4kyl/Xk3sqBgdJOyd+gS8IRxlsqxOitppkpScDFTc7yNXzrqLS+fe1Duhkrct6
g1tKmvrBvKzOqfglSxHmABR81YS5m3DRvSEGpKsNN1uest/hNpRpbVUUB0PbgD0I
UEeug7jmKwLe1igBXrctxrBc/RRtw5c1PmvlbXDFmt3tLpl0ar0d+iuPTdZQZzee
WaPgP+KUFohNJyS/2Ljn
=gLOM
-----END PGP SIGNATURE-----