Image data stays in store if image is deleted after creating image using import task (CVE-2015-3289)

Bug #1454087 reported by Abhishek Kekane on 2015-05-12
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Undecided
Unassigned
OpenStack Security Advisory
Undecided
Tristan Cacqueray

Bug Description

Image data stays in store if image is deleted after creating image using import task

Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.

Steps to reproduce:
1. Create image using task api

$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks

2. wait until image becomes active.
3. Confirm image is in active state.
   $ glance image-list
4. Delete the image
   $ glance image-delete <image-id>
5. Verify image-list does not show deleted image
   $ glance image-list

Image gets deleted from the database but image data presents in the backend.

Note:
This issue is fixed in master by this patch https://review.openstack.org/#/c/181345/4
This issue will be resolved by back-porting above patch to stable/kilo.

Affected branches: stable/kilo

CVE References

Attack scenario here is to create/delete a lot of images using import task and DoS the image backend by filling it up.

Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated
Flavio Percoco (flaper87) wrote :

This is indeed a bug and as mentioned in the description, it's been fixed already. The backport has been done already but it's currently awaiting for a resolution to the problems we have in the gate.

https://review.openstack.org/#/c/181816/

How is this bug different from bug 1371118 and bug 1420696 ?

I guess we better cover this by doing an ERRATA to OSSA-2015-004...

@flaper87 Doesn't this also affect Juno ?

Flavio Percoco (flaper87) wrote :

I'm sorry, I missed this comment :(

It doesn't affect juno, this code was added in Kilo.

Since this issue relate to the new task flow (as opposed to import task of OSSA 2015-004), I guess it deserve its own OSSA and CVE.

Title: Glance task flow leaks image in backend
Reporter: Abhishek Kekane (NTT)
Products: Glance
Affects: 2015.1.0

Description:
Abhishek Kekane from NTT reported a vulnerability in Glance. By creating numerous images using the import task flow API and deleting them, an authenticated attacker may accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All glance setups are affected.

Changed in ossa:
status: Incomplete → Triaged
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Flavio Percoco (flaper87) wrote :

This sounds good to me.

Jeremy Stanley (fungi) wrote :

For the impact description in comment #7, let's try to avoid non-vulnerability-related uses of the overloaded term "leak" to reduce confusion. How about switching the title to something like "Glance task flow may fail to delete image from backend".

Thanks, the CVE has been assigned with the last proposed title.

summary: Image data stays in store if image is deleted after creating image using
- import task
+ import task (CVE-2015-3289)
Grant Murphy (gmurphy) wrote :

Disclosure date set for 2015-07-28. pre-OSSA sent to downstream stakeholders.

Changed in ossa:
status: Triaged → Fix Committed
Grant Murphy (gmurphy) wrote :
Changed in ossa:
status: Fix Committed → Fix Released
information type: Private Security → Public
description: updated

As patch https://review.openstack.org/#/c/181816/ is merged in stable/kilo, this bug can be marked as Fixed Released.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers