Adding image member throws 500 when the member name is longer than 255 characters

Bug #1424038 reported by Hemanth Makkapati on 2015-02-20
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Glance
High
Kamil Rykowski
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

When adding a member to an image, if the member name is longer than 255 characters, Glance registry fails with a 500.

Reproduction in devstack:
glance member-create 749f53d4-896b-436c-b742-6e01d3d700e8 663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663asdsadasdsadsadasdsadasd1
HTTPInternalServerError (HTTP 500)

Error in registry logs:
DBError: (DataError) (1406, "Data too long for column 'member' at row 1") 'INSERT INTO image_members (created_at, updated_at, deleted_at, deleted, image_id, member, can_share, status) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)' (datetime.datetime(2015, 2, 20, 19, 8, 15, 862789), datetime.datetime(2015, 2, 20, 19, 8, 15, 862800), None, 0, '749f53d4-896b-436c-b742-6e01d3d700e8', '663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663asdsadasdsadsadasdsadasd1', 0, 'pending')

2015-02-20 19:08:16.380 18844 INFO glance.wsgi.server [9719e12b-9926-47f4-a8a6-93430a792bec ca44bfc7c1e4421287bb6517be22e34d 4ccaf93d792a4a2880a60d32feeee570 - - -] 127.0.0.1 - - [20/Feb/2015 19:08:16] "PUT /images/749f53d4-896b-436c-b742-6e01d3d700e8/members/663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663asdsadasdsadsadasdsadasd1 HTTP/1.1" 500 139 0.538550

Jeremy Stanley (fungi) wrote :

You forgot to include a description of how you would expect an attacker to exploit this bug, since you have marked it as a suspected security vulnerability. Or did you set this bug to private security in error?

Changed in ossa:
status: New → Incomplete
Nikhil Komawar (nikhil-komawar) wrote :

@Jeremy : I'd asked him to file this as potential security bug.

The reason and attack scenario is as follows:

When a user makes a call of this sort, it is a straightforward case when the 500s are expected hence, easily reproducible. My thinking is that if we let a user make such easy 500 calls, it may very easily be exploited to use as many API threads without having to worry about quota/policies. A deployment without strong rate-limiting would face challenge for such case.

It's not strong case for private security however, we initiated the conversation here to be on the safer side.

Thanks.

Changed in glance:
status: New → Triaged
importance: Undecided → High

Jeremy, yeah, sorry, my bad for forgetting to include the description.
Since this operation causes the API to respond with 500, which counts against API availability, repeated requests will reduce API availability and hence act like DoS attack.

Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in glance:
assignee: nobody → Hemanth Makkapati (hemanth-makkapati)
Jeremy Stanley (fungi) wrote :

I guess what I'm still missing in this report is the expected outcome. Should Glance return some other error on a too-long member name? Should Glance subject API calls resulting in 500 errors to policy/quota enforcement? Something else? That will certainly help in clarifying the impact statement if we end up issuing an advisory for this.

I'd say the expected outcome should be a 400. This is something that is bound to fail with every request that has a long member name since we don't have appropriate validations and/or error handling. So, 400 should be the expected outcome in my opinion.

Thierry Carrez (ttx) wrote :

I'm not convinced that triggering 500 to make log monitoring tools reduce "API availability" statistics could be leveraged as part of an attack. The API is not really unavailable, it's just that some tools relying on 500 error counts might report an erroneous state.

Now spurious 500 should be fixed and return 4xx where appropriate, but I don't think that should trigger a security advisory. Also API return code changes are generally non backportable, so a master fix only.

I agree with ttx here, let's open this next Thursday if no objections

Thierry Carrez (ttx) wrote :

No objection, opening as promised.
Closing OSSA task due to Class D

Changed in ossa:
status: Incomplete → Won't Fix
information type: Private Security → Public
Jeremy Stanley (fungi) on 2015-04-14
description: updated
Changed in glance:
assignee: Hemanth Makkapati (hemanth-makkapati) → Kamil Rykowski (kamil-rykowski)
status: Triaged → In Progress
FANG CHIN SHEN (fcsiii) wrote :

Any one has other solution to fix this bug ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers