CVE-2016-0757

Name of the Vulnerable Software and Affected Versions OpenStack Image Service (Glance) versions prior to 2015.1.3 (kilo) OpenStack Image Service (Glance) versions 11.0.x prior to 11.0.2 (liberty)

Description The issue allows remote authenticated users to tamper with images, potentially compromising the integrity of virtual machines created using these modified images. This is possible when the show multiple locations feature is enabled, allowing attackers to change image status and upload new image data by removing the last location of an image.

Recommendations For OpenStack Image Service (Glance) versions prior to 2015.1.3 (kilo), update to version 2015.1.3 or later. For OpenStack Image Service (Glance) versions 11.0.x prior to 11.0.2 (liberty), update to version 11.0.2 or later. As a temporary workaround, consider disabling the show multiple locations feature until a patch is available.