[OSSA 2014-028] image_size_cap not checked in v2 (CVE-2014-5356)

Bug #1315321 reported by Thomas Leaman on 2014-05-02
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
High
Manuel Desbonnet
Havana
High
Unassigned
Icehouse
High
Manuel Desbonnet
OpenStack Security Advisory
Medium
Tristan Cacqueray

Bug Description

To reproduce (using devstack):

create an image
upload image data larger than image_size_cap

This should result in an error, but doesn't

Stuart McLaren (stuart-mclaren) wrote :

I'm wondering if there's a security aspect to this?

If it's possible to upload an image of unrestricted length and then create multiple compute instances using that image there is the possibility that the filesystem on the nova compute nodes will fill up, preventing further instances from being created.

information type: Public → Private Security
Thierry Carrez (ttx) wrote :

Once public, always public

information type: Private Security → Public Security
Robert Clark (robert-clark) wrote :

Clear DoS, should probably be an OSSA as it's a code defect in OpenStack. OSSN would simply recommend caution around image who you allow to upload images.

Nathan Kinder (nkinder) wrote :

How would this allow one to fill up the Nova compute nodes? Wouldn't the instance flavors still control the amount of disk that is used?

I could see this allowing one to fill up the backend storage used by Glance, though user_storage_quota should allow one to prevent this. The quota isn't set by default, but that could be recommended in an OSSN. The defaults for these values are as follows:

  image_size_cap = 1099511627776 (1TB)
  user_storage_quota = 0 (unlimited)

If I understand the way these values are intended to work correctly, one would be able to fill up Glance's backend storage by simply adding many images that are under the image_size_cap with the default settings. The fact that the cap is broken just means that one could add a lower number of larger images to fill up Glance's storage than they would if the cap was functioning properly.

Changed in glance:
assignee: nobody → Arnaud Legendre (arnaudleg)
Stuart McLaren (stuart-mclaren) wrote :

Hi Arnaud,

We have a patch up for this: https://review.openstack.org/#/c/91764/

Arnaud Legendre (arnaudleg) wrote :

Oh ok :) thanks!

Changed in glance:
assignee: Arnaud Legendre (arnaudleg) → nobody
Changed in glance:
assignee: nobody → Thomas Leaman (thomas-leaman)
Thierry Carrez (ttx) wrote :

I think this warrants an OSSA, even if the Nova impact is yet unclear.

Changed in ossa:
status: New → Incomplete
Changed in glance:
status: New → In Progress
Thierry Carrez (ttx) on 2014-05-26
Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → Medium

This vulnerability seems to be introduced in Grizzly at least, and as we don't support grizzly anymore we'll mark every versions up to 2013.2.3 affected.

Here is impact description draft #1:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1

Description:
Thomas Leaman from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration is not honored. This may prevent further image upload and/or cause service disruption. Only setups using Glance image service are affected.

Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Grant Murphy (gmurphy) wrote :

Impact description looks fine. A couple of grammatical problems maybe.

e.g. Should 'upload' be 'uploads' in "This may prevent further image upload"?

Thanks Tristan, couple of things:

1) Only the Glance v2 api is affected (v1 is not)
2) I think image 'import' is not affected -- it may be worth explicitly stating this, as import/upload
are similar functionality.
3) Is it possible/appropriate to put my name as well as Thomas's? (If not, no big deal!)

@Grant, Thanks for the typo :)

@Stuart, Thanks for the comments!
It is appropriate to mention you as a reporter, you are right, my bad!

Here is impact description draft #2:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.1

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected.

Thanks Tristan. :-)

> All Glance setups using API v2 are affected.

It's possible to restrict/disable image upload using a policy, if you've done that you won't be affected even if you're using v2. Not sure if that's worth mentioning or is too much detail.

Thierry Carrez (ttx) on 2014-06-09
Changed in ossa:
status: Confirmed → Triaged
Thierry Carrez (ttx) wrote :

configuration -> configuration option
Maybe add "(unless you use a policy to restrict/disable image upload)" at the end to cover for Stuart's remark

Thanks for the review, it now cover Stuart's comment #12,

Here is impact description draft #3:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.1

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload).

Thierry Carrez (ttx) wrote :

nitpick: "configuration" -> "configuration option"
Otherwise looks good.

Thanks ttx!

Here is impact description draft #4:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.1

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration option is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload).

lgtm!

Thierry Carrez (ttx) wrote :

impactdesc +1

Jeremy Stanley (fungi) wrote :

Tristan's latest draft impact description in comment #16 looks good to me.

Thierry Carrez (ttx) wrote :

Patch for this is still pretty much in progress. Any hope for an update there ?

Thierry Carrez (ttx) on 2014-08-04
Changed in glance:
importance: Undecided → High
Changed in glance:
assignee: Thomas Leaman (thomas-leaman) → Manuel Desbonnet (manuel-desbonnet)

Reviewed: https://review.openstack.org/91764
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=92ab00fca6926eaf3f7f92a955a5e07140063718
Submitter: Jenkins
Branch: master

commit 92ab00fca6926eaf3f7f92a955a5e07140063718
Author: Tom Leaman <email address hidden>
Date: Fri May 2 10:09:20 2014 +0000

    Enforce image_size_cap on v2 upload

    image_size_cap should be checked and enforced on upload

    Enforcement is in two places:
    - on image metadata save
    - during image save to backend store

    Closes-Bug: 1315321
    Change-Id: I45bfb360703617bc394e9e27fe17adf43b09c0e1
    Co-Author: Manuel Desbonnet <email address hidden>

Changed in glance:
status: In Progress → Fix Committed
Changed in ossa:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/115280
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=31a4d1852a0c27bac5757c192f300f051229a312
Submitter: Jenkins
Branch: stable/icehouse

commit 31a4d1852a0c27bac5757c192f300f051229a312
Author: Tom Leaman <email address hidden>
Date: Fri May 2 10:09:20 2014 +0000

    Enforce image_size_cap on v2 upload

    image_size_cap should be checked and enforced on upload

    Enforcement is in two places:
    - on image metadata save
    - during image save to backend store

    (cherry picked from commit 92ab00fca6926eaf3f7f92a955a5e07140063718)
    Conflicts:
     glance/location.py
     glance/tests/functional/v2/test_images.py

    Closes-Bug: 1315321
    Change-Id: I45bfb360703617bc394e9e27fe17adf43b09c0e1
    Co-Author: Manuel Desbonnet <email address hidden>

Reviewed: https://review.openstack.org/115289
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=12f43cfed5a47cd16f08b7dad2424da0fc362e47
Submitter: Jenkins
Branch: stable/havana

commit 12f43cfed5a47cd16f08b7dad2424da0fc362e47
Author: Tom Leaman <email address hidden>
Date: Fri May 2 10:09:20 2014 +0000

    Enforce image_size_cap on v2 upload

    image_size_cap should be checked and enforced on upload

    Enforcement is in two places:
    - on image metadata save
    - during image save to backend store

    (cherry picked from commit 92ab00fca6926eaf3f7f92a955a5e07140063718)
    Conflicts:
     glance/location.py
     glance/tests/functional/v2/test_images.py
     glance/tests/unit/test_store_image.py

    Closes-Bug: 1315321
    Change-Id: I45bfb360703617bc394e9e27fe17adf43b09c0e1
    Co-Author: Manuel Desbonnet <email address hidden>

summary: - image_size_cap not checked in v2
+ image_size_cap not checked in v2 (CVE-2014-5356)
Changed in ossa:
status: In Progress → Fix Committed
summary: - image_size_cap not checked in v2 (CVE-2014-5356)
+ [OSSA 2014-028] image_size_cap not checked in v2 (CVE-2014-5356)
Changed in ossa:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-09-05
Changed in glance:
milestone: none → juno-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in glance:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers