2015-09-21 19:46:58 |
Mike Fedosin |
bug |
|
|
added bug |
2015-09-21 19:48:14 |
Mike Fedosin |
attachment added |
|
exploit for v1 https://bugs.launchpad.net/glance/+bug/1498163/+attachment/4470670/+files/test_images.py |
|
2015-09-21 19:48:40 |
Mike Fedosin |
attachment added |
|
exploit for v2 https://bugs.launchpad.net/glance/+bug/1498163/+attachment/4470671/+files/test_images_v2.py |
|
2015-09-21 19:50:26 |
Mike Fedosin |
attachment added |
|
Patch for master https://bugs.launchpad.net/glance/+bug/1498163/+attachment/4470672/+files/0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch |
|
2015-09-21 19:52:16 |
Nikhil Komawar |
glance: importance |
Undecided |
Critical |
|
2015-09-21 19:52:19 |
Nikhil Komawar |
glance: status |
New |
Triaged |
|
2015-09-21 20:00:36 |
Nikhil Komawar |
glance: assignee |
|
Mike Fedosin (mfedosin) |
|
2015-09-21 20:03:08 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
2015-09-21 20:03:12 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
2015-09-21 20:03:37 |
Tristan Cacqueray |
description |
About a year ago it was a vulnerability called 'Glance user storage quota bypass': https://security.openstack.org/ossa/OSSA-2015-003.html, where any user could overcome the quota and clog up the storage.
The fix was proposed in master and all other stable branches, but it turned out, that it doesn't completely remove the issue and any user still can exceed the quota.
It happens in case if user token is expired during file upload and when glance tries to update image status from 'saving' to 'active'. Then glance gets Unauthenticated exception from registry server and fails with 500 error. On the other side garbage file is left in storage.
Steps to reproduce mostly coincide with the related from the previous bug, but in general it is:
1. Set some value (like 1Gb) to user_storage_quota in glance-api.conf and restart the server.
2. Make sure that your token will expire soon, when you'll be able to create an image instance in DB and begin the upload, but the token will expire during it.
3. Create an image, begin the upload and quickly remove the image with 'glance image-delete'.
4. After the upload check that image is not in the list, i.e. it's deleted, and file is still located in the store.
5. Perform steps 2-4 several times to make sure that user quota is exceeded.
Related script (test_images.py from here https://bugs.launchpad.net/glance/+bug/1398830) works fine, too, but it's better to reduce token life time in keystone config to 1 or 2 minutes, just for not to wait for one hour.
Glance api v2 is affected as well, but only if registry db_api is enabled. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
About a year ago it was a vulnerability called 'Glance user storage quota bypass': https://security.openstack.org/ossa/OSSA-2015-003.html, where any user could overcome the quota and clog up the storage.
The fix was proposed in master and all other stable branches, but it turned out, that it doesn't completely remove the issue and any user still can exceed the quota.
It happens in case if user token is expired during file upload and when glance tries to update image status from 'saving' to 'active'. Then glance gets Unauthenticated exception from registry server and fails with 500 error. On the other side garbage file is left in storage.
Steps to reproduce mostly coincide with the related from the previous bug, but in general it is:
1. Set some value (like 1Gb) to user_storage_quota in glance-api.conf and restart the server.
2. Make sure that your token will expire soon, when you'll be able to create an image instance in DB and begin the upload, but the token will expire during it.
3. Create an image, begin the upload and quickly remove the image with 'glance image-delete'.
4. After the upload check that image is not in the list, i.e. it's deleted, and file is still located in the store.
5. Perform steps 2-4 several times to make sure that user quota is exceeded.
Related script (test_images.py from here https://bugs.launchpad.net/glance/+bug/1398830) works fine, too, but it's better to reduce token life time in keystone config to 1 or 2 minutes, just for not to wait for one hour.
Glance api v2 is affected as well, but only if registry db_api is enabled. |
|
2015-09-21 20:11:19 |
Nikhil Komawar |
glance: milestone |
|
liberty-rc1 |
|
2015-09-22 17:05:26 |
Mike Fedosin |
attachment added |
|
Patch with fixed tasks https://bugs.launchpad.net/glance/+bug/1498163/+attachment/4471488/+files/0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch |
|
2015-09-22 19:57:35 |
Nikhil Komawar |
bug |
|
|
added subscriber Glance Core security contacts |
2015-09-23 06:43:29 |
Flavio Percoco |
attachment added |
|
0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch-master https://bugs.launchpad.net/glance/+bug/1498163/+attachment/4472005/+files/0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch-master |
|
2015-09-23 06:43:47 |
Flavio Percoco |
attachment added |
|
0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch-kilo https://bugs.launchpad.net/glance/+bug/1498163/+attachment/4472007/+files/0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch-kilo |
|
2015-09-23 06:44:01 |
Flavio Percoco |
attachment added |
|
0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch-juno https://bugs.launchpad.net/glance/+bug/1498163/+attachment/4472008/+files/0001-Cleanup-chunks-for-deleted-image-if-token-expired.patch-juno |
|
2015-09-25 14:15:51 |
Nikhil Komawar |
glance: milestone |
liberty-rc1 |
ongoing |
|
2015-09-25 14:18:45 |
Nikhil Komawar |
tags |
|
liberty-rc-potential |
|
2015-09-25 14:57:33 |
Tristan Cacqueray |
ossa: status |
Incomplete |
In Progress |
|
2015-09-25 14:57:36 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-09-25 20:32:41 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2015-09-25 20:42:45 |
Tristan Cacqueray |
summary |
Glance storage quota bypass when token is expired |
Glance storage quota bypass when token is expired (CVE-2015-5286) |
|
2015-09-25 20:42:59 |
Tristan Cacqueray |
cve linked |
|
2015-5286 |
|
2015-10-01 11:56:02 |
Thierry Carrez |
glance: milestone |
ongoing |
liberty-rc2 |
|
2015-10-01 15:01:16 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
2015-10-01 15:05:28 |
Tristan Cacqueray |
summary |
Glance storage quota bypass when token is expired (CVE-2015-5286) |
[OSSA 2015-020] Glance storage quota bypass when token is expired (CVE-2015-5286) |
|
2015-10-01 15:18:44 |
Nikhil Komawar |
glance: status |
Triaged |
In Progress |
|
2015-10-01 16:01:03 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
About a year ago it was a vulnerability called 'Glance user storage quota bypass': https://security.openstack.org/ossa/OSSA-2015-003.html, where any user could overcome the quota and clog up the storage.
The fix was proposed in master and all other stable branches, but it turned out, that it doesn't completely remove the issue and any user still can exceed the quota.
It happens in case if user token is expired during file upload and when glance tries to update image status from 'saving' to 'active'. Then glance gets Unauthenticated exception from registry server and fails with 500 error. On the other side garbage file is left in storage.
Steps to reproduce mostly coincide with the related from the previous bug, but in general it is:
1. Set some value (like 1Gb) to user_storage_quota in glance-api.conf and restart the server.
2. Make sure that your token will expire soon, when you'll be able to create an image instance in DB and begin the upload, but the token will expire during it.
3. Create an image, begin the upload and quickly remove the image with 'glance image-delete'.
4. After the upload check that image is not in the list, i.e. it's deleted, and file is still located in the store.
5. Perform steps 2-4 several times to make sure that user quota is exceeded.
Related script (test_images.py from here https://bugs.launchpad.net/glance/+bug/1398830) works fine, too, but it's better to reduce token life time in keystone config to 1 or 2 minutes, just for not to wait for one hour.
Glance api v2 is affected as well, but only if registry db_api is enabled. |
About a year ago it was a vulnerability called 'Glance user storage quota bypass': https://security.openstack.org/ossa/OSSA-2015-003.html, where any user could overcome the quota and clog up the storage.
The fix was proposed in master and all other stable branches, but it turned out, that it doesn't completely remove the issue and any user still can exceed the quota.
It happens in case if user token is expired during file upload and when glance tries to update image status from 'saving' to 'active'. Then glance gets Unauthenticated exception from registry server and fails with 500 error. On the other side garbage file is left in storage.
Steps to reproduce mostly coincide with the related from the previous bug, but in general it is:
1. Set some value (like 1Gb) to user_storage_quota in glance-api.conf and restart the server.
2. Make sure that your token will expire soon, when you'll be able to create an image instance in DB and begin the upload, but the token will expire during it.
3. Create an image, begin the upload and quickly remove the image with 'glance image-delete'.
4. After the upload check that image is not in the list, i.e. it's deleted, and file is still located in the store.
5. Perform steps 2-4 several times to make sure that user quota is exceeded.
Related script (test_images.py from here https://bugs.launchpad.net/glance/+bug/1398830) works fine, too, but it's better to reduce token life time in keystone config to 1 or 2 minutes, just for not to wait for one hour.
Glance api v2 is affected as well, but only if registry db_api is enabled. |
|
2015-10-01 18:31:22 |
Tristan Cacqueray |
tags |
liberty-rc-potential |
kilo-backport-potential liberty-rc-potential |
|
2015-10-02 01:08:26 |
Koji Iida |
bug |
|
|
added subscriber Koji Iida |
2015-10-02 13:54:45 |
OpenStack Infra |
tags |
kilo-backport-potential liberty-rc-potential |
in-stable-liberty kilo-backport-potential liberty-rc-potential |
|
2015-10-02 21:41:57 |
Nikhil Komawar |
glance: status |
In Progress |
Fix Committed |
|
2015-10-02 22:24:53 |
OpenStack Infra |
tags |
in-stable-liberty kilo-backport-potential liberty-rc-potential |
in-stable-juno in-stable-liberty kilo-backport-potential liberty-rc-potential |
|
2015-10-02 22:25:02 |
OpenStack Infra |
tags |
in-stable-juno in-stable-liberty kilo-backport-potential liberty-rc-potential |
in-stable-juno in-stable-kilo in-stable-liberty kilo-backport-potential liberty-rc-potential |
|
2015-10-03 12:48:14 |
Thierry Carrez |
glance: status |
Fix Committed |
Fix Released |
|
2015-10-05 14:04:04 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
2015-10-15 13:34:53 |
Thierry Carrez |
glance: milestone |
liberty-rc2 |
11.0.0 |
|
2015-11-14 10:31:59 |
Alan Pevec |
nominated for series |
|
glance/juno |
|
2015-11-14 10:32:00 |
Alan Pevec |
bug task added |
|
glance/juno |
|
2015-11-14 15:04:27 |
Alan Pevec |
glance/juno: status |
New |
Fix Committed |
|
2015-11-14 15:04:27 |
Alan Pevec |
glance/juno: milestone |
|
2014.2.4 |
|
2015-11-19 21:40:45 |
Alan Pevec |
glance/juno: status |
Fix Committed |
Fix Released |
|
2016-01-21 20:19:20 |
Dave Walker |
nominated for series |
|
glance/kilo |
|
2016-01-21 20:19:21 |
Dave Walker |
bug task added |
|
glance/kilo |
|
2016-01-21 20:19:51 |
Dave Walker |
glance/kilo: status |
New |
Fix Committed |
|
2016-01-21 20:19:51 |
Dave Walker |
glance/kilo: milestone |
|
2015.1.3 |
|
2016-01-21 23:12:54 |
Dave Walker |
glance/kilo: status |
Fix Committed |
Fix Released |
|