CVE-2016-4383

An immutability flaw was discovered in openstack-glance, where the glance-manage DB allows deleted image IDs to be reassigned. The flaw could be exploited to allow remote authenticated users to cause other users to boot into a malicious image without knowing it.

Mitigation

For this flaw to be exploited, both non-admin image upload must be permitted and records of deleted IDs must have been purged from the openstack-glance 'images' database table.
To prevent flaw exploitation:

• Do not allow non-admin users to upload images, or
• If you do permit normal users to upload images, do not purge the 'images' table. Note: It is safe to delete rows from image_properties, image_tags, image_members, and image_locations tables.