Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'High' RISK - CVE-2015-1195 OpenStack  for [EGI-SVG-2015-8056]

Date:        2015-02-11



A vulnerability has been announced in OpenStack Image service (glance) which allows authorized users to access 
and delete files accessible by the glance user. 

Sites running OpenStack are recommended to update as soon as possible if they have not already done so.


Details are available in [R 1], [R 2], [R 3]

Risk category

This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team.  

Affected software

V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2



Component installation information

In Juno (2014.2) the fix has been included in the 2014.2.2 release ( 
therefore sites should update all the glance packages to the 2014.2.2 version.

In Icehouse (2014.1) the fix be included in the 2014.1.4 release, planned for February 19th. 
A patch may be made available sooner, and the version of this advisory on the wiki will be updated if it is. 


Sites are recommended to update relevant components if they have not done so already.

Once the update is complete, all the credentials accessible by the glance user (e.g. OpenStack service username and password, 
MySQL connection details, etc.) should be revoked as a precautionary measure.


This vulnerability was announced publicly and EGI SVG alerted to it by Alvaro Lopez Garcia


[R 1]

[R 2]

[R 3]


2015-01-15 Vulnerability announced publicly
2015-01-27 EGI SVG alerted by Alvaro Lopez Garcia
2015-01-30 Risk Assessment by the EGI Software Vulnerability Group. 
2015-02-11 Advisory sent to sites