OpenStack Glance Server-Side Request Forgery Vulnerability in Image Import Functionality

A Server-Side Request Forgery (SSRF) vulnerability has been identified in OpenStack Glance versions prior to 29.1.1, 30.0.0 through 30.1.1, and 31.0.0. This vulnerability allows authenticated users to bypass URL validation checks in the image import functionality, specifically through HTTP redirects. The issue is present in the 'web-download' and 'glance-download' import methods, as well as the optional 'ovf_process' image import plugin.

Impact

Exploitation of this vulnerability could lead to unauthorized access of internal services, potentially allowing attackers to exfiltrate sensitive data or credentials. According to the OpenStack Security Advisory, this vulnerability could also be exploited to access cloud metadata services on AWS, GCP, or Azure, with varying impacts depending on the service.

Reproduction

The vulnerability can be reproduced by using the 'web-download' import method to upload an image while including a URL that redirects to an internal service. This can be done by encoding an IP address in a way that bypasses the URL validation, such as using hexadecimal or octal formats. After the image is imported, the internal data can be exfiltrated by downloading the image through the Glance API.

Remediation

Users can update to OpenStack Glance versions 29.2.0, 30.2.0, 31.1.0, or 32.0.0.0rc2, all of which include the necessary fix. Instructions for applying the update can be found in the OpenStack Glance release notes.