Adding image member throws 500 when the member name is longer than 255 characters

Bug #1424038 reported by Hemanth Makkapati
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Glance
Won't Fix
High
Kamil Rykowski
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

When adding a member to an image, if the member name is longer than 255 characters, Glance registry fails with a 500.

Reproduction in devstack:
glance member-create 749f53d4-896b-436c-b742-6e01d3d700e8 663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663asdsadasdsadsadasdsadasd1
HTTPInternalServerError (HTTP 500)

Error in registry logs:
DBError: (DataError) (1406, "Data too long for column 'member' at row 1") 'INSERT INTO image_members (created_at, updated_at, deleted_at, deleted, image_id, member, can_share, status) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)' (datetime.datetime(2015, 2, 20, 19, 8, 15, 862789), datetime.datetime(2015, 2, 20, 19, 8, 15, 862800), None, 0, '749f53d4-896b-436c-b742-6e01d3d700e8', '663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663asdsadasdsadsadasdsadasd1', 0, 'pending')

2015-02-20 19:08:16.380 18844 INFO glance.wsgi.server [9719e12b-9926-47f4-a8a6-93430a792bec ca44bfc7c1e4421287bb6517be22e34d 4ccaf93d792a4a2880a60d32feeee570 - - -] 127.0.0.1 - - [20/Feb/2015 19:08:16] "PUT /images/749f53d4-896b-436c-b742-6e01d3d700e8/members/663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663051afadfasdfadsf663asdsadasdsadsadasdsadasd1 HTTP/1.1" 500 139 0.538550

Revision history for this message
Jeremy Stanley (fungi) wrote :

You forgot to include a description of how you would expect an attacker to exploit this bug, since you have marked it as a suspected security vulnerability. Or did you set this bug to private security in error?

Changed in ossa:
status: New → Incomplete
Revision history for this message
Nikhil Komawar (nikhil-komawar) wrote :

@Jeremy : I'd asked him to file this as potential security bug.

The reason and attack scenario is as follows:

When a user makes a call of this sort, it is a straightforward case when the 500s are expected hence, easily reproducible. My thinking is that if we let a user make such easy 500 calls, it may very easily be exploited to use as many API threads without having to worry about quota/policies. A deployment without strong rate-limiting would face challenge for such case.

It's not strong case for private security however, we initiated the conversation here to be on the safer side.

Thanks.

Changed in glance:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Hemanth Makkapati (hemanth-makkapati) wrote :

Jeremy, yeah, sorry, my bad for forgetting to include the description.
Since this operation causes the API to respond with 500, which counts against API availability, repeated requests will reduce API availability and hence act like DoS attack.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in glance:
assignee: nobody → Hemanth Makkapati (hemanth-makkapati)
Revision history for this message
Jeremy Stanley (fungi) wrote :

I guess what I'm still missing in this report is the expected outcome. Should Glance return some other error on a too-long member name? Should Glance subject API calls resulting in 500 errors to policy/quota enforcement? Something else? That will certainly help in clarifying the impact statement if we end up issuing an advisory for this.

Revision history for this message
Hemanth Makkapati (hemanth-makkapati) wrote :

I'd say the expected outcome should be a 400. This is something that is bound to fail with every request that has a long member name since we don't have appropriate validations and/or error handling. So, 400 should be the expected outcome in my opinion.

Revision history for this message
Thierry Carrez (ttx) wrote :

I'm not convinced that triggering 500 to make log monitoring tools reduce "API availability" statistics could be leveraged as part of an attack. The API is not really unavailable, it's just that some tools relying on 500 error counts might report an erroneous state.

Now spurious 500 should be fixed and return 4xx where appropriate, but I don't think that should trigger a security advisory. Also API return code changes are generally non backportable, so a master fix only.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

I agree with ttx here, let's open this next Thursday if no objections

Revision history for this message
Thierry Carrez (ttx) wrote :

No objection, opening as promised.
Closing OSSA task due to Class D

Changed in ossa:
status: Incomplete → Won't Fix
information type: Private Security → Public
Jeremy Stanley (fungi)
description: updated
Changed in glance:
assignee: Hemanth Makkapati (hemanth-makkapati) → Kamil Rykowski (kamil-rykowski)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/175415

Revision history for this message
FANG CHIN SHEN (fcsiii) wrote :

Any one has other solution to fix this bug ?

tags: added: image-sharing
Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

Marking as Won't Fix as registry is now removed from glance code base.

Changed in glance:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers