Glance

[OSSN-0088] Images v2 api metadef vulnerability

Bug #1545702 reported by Stuart McLaren
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Confirmed
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
OpenStack Security Notes
Fix Released
Critical
Abhishek Kekane

Bug Description

It looks like a regular user can use the metadef api to create an unlimited number of records in the database.

 $ glance md-namespace-create ns1 xxx
 $ glance md-namespace-create ns2 xxx
 .
 .
 .

 $ glance md-tag-create --name tag OS::Software::WebServers
 $ glance md-tag-create --name tag2 OS::Software::WebServers
.
.
.

etc.

Tags: security
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Adding Travis.

@Travis

Any idea if there's something (eg quota/limit) which restricts the number of namespaces etc a user can create?

Thanks.

Jeremy Stanley (fungi)
information type: Private Security → Public Security
information type: Public Security → Public
Revision history for this message
Dan Smith (danms) wrote :

I can confirm this locally in 2021 with a script to just create resources in a tight loop:

$ glance md-namespace-list | wc -l
2033
$ glance md-namespace-resource-type-list bar1 | wc -l
1004

(and still going)

I don't see any knobs to limit this, nor anywhere in the code that we attempt to cap the number of these objects we allow to be created. AFAICT, the policy for these are all open to regular users by default, which is not good.

I don't have permissions to set the importance of this bug, but despite the fact that this is five years old at this point, I'd rate this as non-trivial in terms of priority.

Dan Smith (danms)
Changed in glance:
status: New → Confirmed
Revision history for this message
Jeremy Stanley (fungi) wrote :

This report came up in another discussion today, so for clarity I just wanted to state that the VMT is considering it a security hardening opportunity for now. If this is an avenue for filling up a reasonably provisioned database before an operator's typical database resource monitoring solution would alert them to the situation so they could disable the user's accounts, then we could reconsider issuing an advisory about it once fixed.

Changed in ossa:
status: New → Won't Fix
tags: added: security
Jeremy Stanley (fungi)
summary: - Images v2 api metadef vulnerability
+ [OSSN-0088] Images v2 api metadef vulnerability
Changed in ossn:
status: New → Fix Released
importance: Undecided → Critical
assignee: nobody → Abhishek Kekane (abhishek-kekane)
Revision history for this message
Jeremy Stanley (fungi) wrote :

Recommendations are now published here: https://wiki.openstack.org/wiki/OSSN/OSSN-0088

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.