CVE-2022-4134: 
Python vulnerability analysis and mitigation

A vulnerability was identified in OpenStack Glance (CVE-2022-4134) that affects all supported releases. The flaw allows remote, authenticated attackers to tamper with images, potentially compromising the integrity of virtual machines created using these modified images. This vulnerability is particularly concerning in deployments where Glance shares a common storage backend with Nova and/or Cinder (OpenStack Wiki, Red Hat CVE).

The vulnerability occurs when the Glance API service is configured with 'showmultiplelocations' set to True (default is False) or when the end-user-facing glance-api has the 'showimagedirecturl' option set to True (default is False). In configurations where Nova creates a root disk snapshot, data is never uploaded to Glance; instead, a snapshot is created directly in the backend, and Nova creates a Glance image record with 'size' 0 and an empty 'oshash_value', making it impossible to compare the hash of downloaded image data (OpenStack Wiki).

The vulnerability allows malicious users to create an image in Glance, set an additional location pointing to an altered image, and then delete the original location. This results in consumers of the original image unknowingly using the malicious image. While this attack cannot change the original image's checksum, it is limited to images owned by the attacker. The impact is particularly severe in deployments using Ceph, where these configurations are common (OpenStack Wiki).

The recommended mitigation is to implement a dual glance-api deployment configuration: 1) A 'user-facing' glance-api accessible to end users and appearing in users' service catalogs, and 2) An 'internal-only-facing' glance-api accessible only to services requiring access to the 'directurl' or image location fields, protected by firewalls from end-user access. Additionally, the 'showmultiplelocations' and 'showimagedirecturl' options should never be enabled on end-user-facing instances (OpenStack Wiki).