Glance

'X-Openstack-Request-ID' lenght limited only by header size

Bug #1482301 reported by Erno Kuvaja on 2015-08-06

266

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Glance	Fix Released	Critical	Erno Kuvaja	Glance 11.0.0 "liberty"
Juno	New	Undecided	Unassigned
Kilo	New	Undecided	Unassigned
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

Glance accepts 'X-Openstack-Request-ID' header and includes the value in log-files. The length of the Request ID is limited only by max_header_line parameter that defaults to 16384. This opens possibility to flood the logs.

Public as this vulnerability was already discussed today on Glance weekly meeting.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-06: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/210025

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-06: Related fix proposed to glance (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/210026

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-06: Fix proposed to glance (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/210042

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-06: Fix proposed to glance (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/210044

Erno Kuvaja (jokke) on 2015-08-06

summary:

- 'X-Openstack-Request-ID' leght limited only by header size
+ 'X-Openstack-Request-ID' lenght limited only by header size

Tristan Cacqueray (tristan-cacqueray) on 2015-08-06

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-06:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

It seems like all affected logs are DEBUG, does it also happen without DEBUG ?

Revision history for this message

Kirill Zaitsev (kzaitsev) wrote on 2015-08-21:

I believe all the OS projects follow this pattern. Shouldn't we raise propogate this concern to oslo guys and other project teams?

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-25:

It doesn't seems to affect last Kilo release ( openstack-glance-2015.1.1-1.el7.noarch ).
Unless this affects a stable release without DEBUG mode, then we are going to remove the OSSA tasks.

Tristan Cacqueray (tristan-cacqueray) on 2015-08-31

Changed in ossa:
status:	Incomplete → Won't Fix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-04: Fix merged to glance (master)

Reviewed: https://review.openstack.org/210025
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=9fdc92b57bfb1e92fdb90e9bffc07bd928801630
Submitter: Jenkins
Branch: master

commit 9fdc92b57bfb1e92fdb90e9bffc07bd928801630
Author: Erno Kuvaja <email address hidden>
Date: Thu Aug 6 16:29:28 2015 +0000

Add mechanism to limit Request ID size

Adding 'max_request_id_length' defaulting to 0 for backportability.

DocImpact
SecurityImpact

Closes-Bug: #1482301
Change-Id: Ie68afe7610a414bbcc42ff3bee33a9779303c115

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-04

Changed in glance:
milestone:	none → liberty-3
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-08: Change abandoned on glance (stable/kilo)

#10

Change abandoned by Erno Kuvaja (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/210044
Reason: Kilo not affected

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-23: Change abandoned on glance (stable/juno)

#11

Change abandoned by Erno Kuvaja (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/210042

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-23: Related fix merged to glance (master)

#12

Reviewed: https://review.openstack.org/210026
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=bd593ddbe67715534b404f3138298ab1232490f5
Submitter: Jenkins
Branch: master

commit bd593ddbe67715534b404f3138298ab1232490f5
Author: Erno Kuvaja <email address hidden>
Date: Thu Aug 6 16:33:07 2015 +0000

Setting default max_request_id_length to 64

    Setting sensible maximum size for Request ID. 64 should be enough for
    normal use cases but limited enough from current 16384 to not flood
    the logs by malicious requests.

DocImpact
SecurityImpact

Related-to-bug: #1482301
Change-Id: I52ebf810f4699826baa2bdf91d28e24d902cf950

Thierry Carrez (ttx) on 2015-10-15

Changed in glance:
milestone:	liberty-3 → 11.0.0

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.