Openstack vulnerability with QCOW2 images

Today Tristan Cacqueray of Red Hat — and of the OpenStack Vulnerability Management Team — reported a CVE-backed issue with Glance, and it’s use of QCOW2 (“QEMU Copy On Write”, a QEMU-based image format). Glance is the OpenStack Image Service, which provides discovery, registration, and delivery services for disk and server images, as well as a REST-based API.

Glance v2 API host file disclosure through qcow2 backing file
OSSA 2015-014, CVE-2015-5163

“Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. This fix will be included in the future 2015.1.2 (kilo) release.”

For the full announcement, including more URLs to patches, see the openstack-announce or oss-security mailing lists. Look to the CVE link in the future, there’s nothing there yet.
http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html
https://launchpad.net/bugs/1471912
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5163
http://docs.openstack.org/developer/glance/
https://wiki.openstack.org/wiki/Glance

(Openstack aside, I wonder if codebases are vulnerable to an “importing a qcow2 image with a malicious backing file” attack?)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s