CVE-2022-4134

Root

Cause CVE-2022-4134 involves two interrelated issues in OpenStack Glance. First, when the show_multiple_locations or show_image_direct_url options are enabled, authenticated users can view and manipulate image locations [1]. Second, when images are consumed via copy-on-write (COW) backends (e.g., Ceph), the system fails to validate image checksums or multihash metadata, allowing modified data to go undetected [4]. This combination enables attackers to alter image content without triggering validation checks.

Exploitation

An attacker must have authenticated access to the Glance API and the cloud must have show_multiple_locations enabled (or expose direct URLs) and use a COW backend. The attacker can remove the last location of an image, transitioning it back to 'queued' state, then upload new malicious data [3]. Alternatively, when Nova creates snapshots directly into a Ceph store, the metadata for multihash and size is omitted, making tampering easier [4]. No privileged network position is required beyond normal user credentials.

Impact

By modifying image data, the attacker compromises the integrity of any virtual machine created from the tampered image. This can lead to arbitrary code execution within guest instances, data theft, or further compromise of the cloud infrastructure.

Mitigation

The primary mitigation is to deploy two separate Glance API endpoints: one external (user-facing) that hides location fields, and one internal (service-facing) that exposes them, with firewalls blocking users from accessing the internal endpoint [1]. Additionally, ensure that all images have multihash metadata and that consumers validate checksums upon use [4]. Disable show_multiple_locations and show_image_direct_url on user-facing endpoints [1].