OpenStack Image Service (glance) provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services.
A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw. (CVE-2015-5163)
Red Hat thanks the OpenStack team for reporting this issue. Upstream acknowledges Eric Harney of Red Hat as the original reporter.
All openstack-glance users are advised to upgrade to these updated packages, which address this vulnerability.