Glance

Glance needs a config option to limit the number of additional image properties

Bug #1251518 reported by Brian Rosmaita
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Critical
Alex Meade
Glance 2014.1 "icehouse"
OpenStack Security Advisory
Invalid
Undecided
Unassigned

Bug Description

Impact: The vulnerability occurs when glance is directly exposed to users. If users can only hit glance via the compute API, then no vulnerability.

Nova has a configuration option quota_metadata_items (default value 128) that's documented to limit the number of metadata items that can be put on an instance. (I verified that it also applies to image metadata using a havana devstack.)

Glance does not appear to have such an option (I was able to put >500 additional properties on an image using the glanceclient). I think this is a DOS attack vector, since someone could fill the glance database with garbage and slow everything down.

Tags: security
Revision history for this message
Thierry Carrez (ttx) wrote :

Hmmm. Agree on the usefulness of such a setting, but should it be considered a vulnerability ? I wonder if that would not fall under the "normal usage" for a public service: people using your service will grow the database behind it, so you have to have mitigation in place to prevent normal usage from triggering DoS.

The question is... where is the line ? When should normal usage be considered a DoS vector ? When it's easy to do ? When it's anonymous to do ? When it's free to do ? When you can leverage quadratic blowup ? So far we considered the combination of the last two (free + blowup) to constitute a vulnerability. Not so sure about other combinations (here we have easy + free IIUC).

Changed in ossa:
status: New → Incomplete
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Thierry, you understand correctly, it's easy + free + linear.

I'm fine with downgrading this from a vulnerability to just a pain in the butt. I guess instead of a bug this should be a glance feature request.

Revision history for this message
Jeremy Stanley (fungi) wrote :

I agree, this falls to operator best practices and public service hardening issues. Contrary to popular belief, private security bugs get less attention and generally take longer to fix than regular public bugs (due to the strictly limited set of people allowed to see and work through them).

information type: Private Security → Public
tags: added: security
Jeremy Stanley (fungi)
Changed in ossa:
status: Incomplete → Invalid
Mark Washenberger (markwash)
Changed in glance:
status: New → Triaged
importance: Undecided → Critical
milestone: none → icehouse-1
Alex Meade (alex-meade)
Changed in glance:
assignee: nobody → Alex Meade (alex-meade)
Alex Meade (alex-meade)
Changed in glance:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/56981

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/56981
Committed: http://github.com/openstack/glance/commit/f63d2f67ed1e7b8246b36bd08517a55a702a48a9
Submitter: Jenkins
Branch: master

commit f63d2f67ed1e7b8246b36bd08517a55a702a48a9
Author: Alex Meade <email address hidden>
Date: Fri Nov 15 22:42:55 2013 +0000

    Add config option to limit image properties

    This patch adds the image_property_quota config option. This allows a deployer
    to limit the number of image properties allowed on an image. The default value
    is 128, as is currently the limit enforced by nova. Users will only be able to
    update an image if the result of the transaction would be under this limit.
    This behavior is intended to be similar to 'quota_metadata_items' in nova.

    This is for both Glance v1 and v2.

    Fixes bug 1251518
    docImpact

    Change-Id: I4aa9504deae836404f11c9ada71a91f85caeba4c

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.