Stop worrying about image injection attacks. Learn to check, fix, and automate OpenStack Glance vulnerability mitigation on Ubuntu with real commands, scripts, and workarounds.
What Happened (and why it still matters)
- On April 22, 2026, Canonical released USN-8199-1 fixing two notable flaws in OpenStack Glance:
- CVE-2024-32498 – Image processing could leak arbitrary files from your server (Ubuntu 16.04 & 18.04 LTS)
- CVE-2026-34881 – Server-side request forgery (SSRF) in image import, bypassing URL validation (Ubuntu 18.04 & 20.04 LTS)
But here's the truth: new similar flaws will appear next month, next year, and the year after. The skill isn't patching this one CVE – it's building a repeatable system to catch and fix ANY image processing vulnerability.
That's where this guide becomes .
How to check if you are vulnerable (Ubuntu commands)
Run these on any Ubuntu server running OpenStack Glance:
# Check your Glance version glance --version # For Ubuntu 20.04 – vulnerable if version < 2:20.2.0-0ubuntu1.2+esm2 dpkg -l | grep glance | grep -E "20.2.0-0ubuntu1.[01]" # For Ubuntu 18.04 – vulnerable if version < 2:16.0.1-0ubuntu1.1+esm2 dpkg -l | grep glance | grep -E "16.0.1-0ubuntu1.1+esm[01]" # For Ubuntu 16.04 – vulnerable if version < 2:12.0.0-0ubuntu2+esm1 dpkg -l | grep glance | grep -E "12.0.0-0ubuntu2+esm[0-9]" # Quick SSRF test: Try importing from internal IP (requires admin credentials) # Replace with your actual internal service IP openstack image create --import --uri "http://169.254.169.254/latest/meta-data/" test-ssrf
If you see older versions or the import test returns metadata from your cloud provider's internal metadata service – you're vulnerable.
Automation script to apply the fix
This bash script checks your Ubuntu version, applies the official update, and verifies the fix. Save as fix-glance-cve.sh:
#!/bin/bash # fix-glance-cve.sh – Hardens OpenStack Glance against CVE-2024-32498 & CVE-2026-34881 set -euo pipefail echo "[*] Checking Ubuntu version..." UBUNTU_VERSION=$(lsb_release -rs) case $UBUNTU_VERSION in "20.04") echo "[*] Ubuntu 20.04 detected – patching SSRF vulnerability (CVE-2026-34881)" sudo apt update sudo apt install --only-upgrade glance glance-api glance-common python3-glance -y ;; "18.04") echo "[*] Ubuntu 18.04 detected – both CVEs apply" sudo apt update sudo apt install --only-upgrade glance glance-api glance-common glance-registry python-glance -y ;; "16.04") echo "[*] Ubuntu 16.04 detected – patching file leak (CVE-2024-32498)" sudo apt update sudo apt install --only-upgrade glance glance-api glance-common glance-glare glance-registry python-glance -y ;; *) echo "[!] Unsupported Ubuntu version. Check USN-8199-1 manually." exit 1 ;; esac echo "[*] Restarting Glance services..." sudo systemctl restart glance-api glance-registry echo "[*] Verification:" sudo systemctl status glance-api --no-pager | grep "Active: active" echo "[✓] Patching complete. Run the check commands again to confirm."
Make it executable and run:
chmod +x fix-glance-cve.sh sudo ./fix-glance-cve.sh
This script solves ONE CVE. To learn how to create your own scripts for ANY future CVE, you need the book.
📘 Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly – This script solves *a* CVE. This book solves ALL the CVEs you've never seen.
Why this book?
Because package updates won't save you from zero-days or misconfigurations. You'll learn to write custom binary analysis tools to catch image processing flaws BEFORE they get a CVE number.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).
Alternative mitigation if you can't update now
If you're stuck on an older Glance version (no Ubuntu Pro, change freeze, legacy system):
1. Block SSRF with iptables (for CVE-2026-34881)
Prevent Glance from reaching internal metadata services and private IP ranges:
# Block access to AWS/GCP/Azure metadata IP sudo iptables -A OUTPUT -d 169.254.169.254 -j DROP -m comment --comment "Block SSRF to metadata service" # Block internal IPv4 ranges from Glance process (requires process owner: 'glance') sudo iptables -A OUTPUT -m owner --uid-owner glance -d 10.0.0.0/8 -j DROP sudo iptables -A OUTPUT -m owner --uid-owner glance -d 172.16.0.0/12 -j DROP sudo iptables -A OUTPUT -m owner --uid-owner glance -d 192.168.0.0/16 -j DROP # Save rules (Ubuntu) sudo apt install iptables-persistent -y sudo netfilter-persistent save
2. AppArmor profile to restrict file access (for CVE-2024-32498)
Create /etc/apparmor.d/local/usr.bin.glance-api:
# Allow only image storage directories
/var/lib/glance/images/ r,
/var/lib/glance/images/** rw,
# Explicitly deny sensitive system paths
/var/lib/glance/images/**/{passwd,shadow,ssh,key,secret} r,
/{etc,home,root}/** r,
/proc/*/mem r,
Then reload:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.glance-api sudo systemctl reload apparmor
3. Proxy-based URL validation (for all image imports)
Deploy a tiny validating proxy that whitelists only allowed image sources:
# /etc/nginx/sites-available/glance-proxy server { listen 127.0.0.1:8080; location / { # Allow only known-good registries if ($http_x_image_uri !~ ^https://(images\.linuxcontainers\.org|download\.cirros-cloud\.com)/) { return 403; } proxy_pass $http_x_image_uri; } }
Configure Glance to use this proxy in /etc/glance/glance-api.conf:
[glance_store] image_import_proxy = http://127.0.0.1:8080
Why you need a systematic approach
Patch management is reactive. By the time you read a CVE announcement, attackers have already scanned for unpatched Glance endpoints.
The pro moves are:
- Automate version checking (hook this script into cron or ansible)
- Implement defense-in-depth (iptables + AppArmor even AFTER patching)
- Learn binary analysis to find the NEXT image parsing bug before it's weaponized
That last point is what separates sysadmins from security engineers.
Nenhum comentário:
Postar um comentário