rhsa-2012_1558
Vulnerability from csaf_redhat
Published
2012-12-10 20:57
Modified
2024-11-22 06:00
Summary
Red Hat Security Advisory: openstack-glance security update
Notes
Topic
Updated openstack-glance packages that fix multiple bugs and add various enhancements are now available for Red Hat OpenStack Essex.
Details
The openstack-glance packages allows virtual machine images to be discovered, registered and retrieved. It also includes a RESTful API to provide these services to other applications.
The openstack-glance packages have been upgraded to upstream version 2012.1.2, which provide a number of bug fixes and enhancements over the previous version.
A flaw in Keystone allowed an attacker with access to the web and network
interfaces to delete arbitrary, non-protected images from Glance servers.
(CVE-2012-4573)
Red Hat would like to thank the OpenStack project for reporting this
issue. Upstream acknowledges Gabe Westmaas as the original reporter of
CVE-2012-4573.
All users of openstack-glance are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing the updated packages, the Glance services (openstack-glance-api and openstack-glance-registry) will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-glance packages that fix multiple bugs and add various enhancements are now available for Red Hat OpenStack Essex.",
"title": "Topic"
},
{
"category": "general",
"text": "The openstack-glance packages allows virtual machine images to be discovered, registered and retrieved. It also includes a RESTful API to provide these services to other applications.\n\nThe openstack-glance packages have been upgraded to upstream version 2012.1.2, which provide a number of bug fixes and enhancements over the previous version.\n\nA flaw in Keystone allowed an attacker with access to the web and network \ninterfaces to delete arbitrary, non-protected images from Glance servers. \n(CVE-2012-4573) \n\nRed Hat would like to thank the OpenStack project for reporting this\nissue. Upstream acknowledges Gabe Westmaas as the original reporter of\nCVE-2012-4573.\n\nAll users of openstack-glance are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing the updated packages, the Glance services (openstack-glance-api and openstack-glance-registry) will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1558",
"url": "https://access.redhat.com/errata/RHSA-2012:1558"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#low",
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "872302",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=872302"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1558.json"
}
],
"title": "Red Hat Security Advisory: openstack-glance security update",
"tracking": {
"current_release_date": "2024-11-22T06:00:26+00:00",
"generator": {
"date": "2024-11-22T06:00:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2012:1558",
"initial_release_date": "2012-12-10T20:57:00+00:00",
"revision_history": [
{
"date": "2012-12-10T20:57:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-12-10T21:00:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:00:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHOS Essex Release",
"product": {
"name": "RHOS Essex Release",
"product_id": "6Server-Essex",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-doc-0:2012.1.2-2.el6.noarch",
"product": {
"name": "openstack-glance-doc-0:2012.1.2-2.el6.noarch",
"product_id": "openstack-glance-doc-0:2012.1.2-2.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2012.1.2-2.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2012.1.2-2.el6.noarch",
"product": {
"name": "openstack-glance-0:2012.1.2-2.el6.noarch",
"product_id": "openstack-glance-0:2012.1.2-2.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2012.1.2-2.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2012.1.2-2.el6.noarch",
"product": {
"name": "python-glance-0:2012.1.2-2.el6.noarch",
"product_id": "python-glance-0:2012.1.2-2.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2012.1.2-2.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2012.1.2-2.el6.src",
"product": {
"name": "openstack-glance-0:2012.1.2-2.el6.src",
"product_id": "openstack-glance-0:2012.1.2-2.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2012.1.2-2.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2012.1.2-2.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-glance-0:2012.1.2-2.el6.noarch"
},
"product_reference": "openstack-glance-0:2012.1.2-2.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2012.1.2-2.el6.src as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-glance-0:2012.1.2-2.el6.src"
},
"product_reference": "openstack-glance-0:2012.1.2-2.el6.src",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2012.1.2-2.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-glance-doc-0:2012.1.2-2.el6.noarch"
},
"product_reference": "openstack-glance-doc-0:2012.1.2-2.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2012.1.2-2.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:python-glance-0:2012.1.2-2.el6.noarch"
},
"product_reference": "python-glance-0:2012.1.2-2.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
}
],
"cve": "CVE-2012-4573",
"discovery_date": "2012-11-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "872302"
}
],
"notes": [
{
"category": "description",
"text": "The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenStack: Glance Authentication bypass for image deletion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-glance-0:2012.1.2-2.el6.noarch",
"6Server-Essex:openstack-glance-0:2012.1.2-2.el6.src",
"6Server-Essex:openstack-glance-doc-0:2012.1.2-2.el6.noarch",
"6Server-Essex:python-glance-0:2012.1.2-2.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4573"
},
{
"category": "external",
"summary": "RHBZ#872302",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=872302"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4573",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4573"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4573",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4573"
}
],
"release_date": "2012-11-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-12-10T20:57:00+00:00",
"details": "Before applying this update, make sure all previously-released errata relevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-glance-0:2012.1.2-2.el6.noarch",
"6Server-Essex:openstack-glance-0:2012.1.2-2.el6.src",
"6Server-Essex:openstack-glance-doc-0:2012.1.2-2.el6.noarch",
"6Server-Essex:python-glance-0:2012.1.2-2.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1558"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-glance-0:2012.1.2-2.el6.noarch",
"6Server-Essex:openstack-glance-0:2012.1.2-2.el6.src",
"6Server-Essex:openstack-glance-doc-0:2012.1.2-2.el6.noarch",
"6Server-Essex:python-glance-0:2012.1.2-2.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenStack: Glance Authentication bypass for image deletion"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.