Comment 16 for bug 1549483
Revision history for this message
| Nikhil Komawar (nikhil-komawar) wrote | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Hi Robert,
Thank you for the write up. I've a few suggestions, let me know your thoughts:
#1
### Summary ###
When Glance API has been configured with the "show_multiple_
parameter enabled along with default policies, it is possible for a non-admin user to replace active
image data by manipulating the location by updating Image record.
#2
### Discussion ###
Glance has a multiple location feature that allows a single image to be
stored in multiple places. This is intended to offer an extra degree of
resilience by improving the availability of Glance images as well as to help operators improve performance and reduce errors during inbound and outbound image data streaming.
This feature can allow a user pushing a new location for an image via the
Glance API. However, this process does not involve a checksum of the
existing or newly created image locations - allowing a malicious user to
push a different or altered image as an alternative location for an
existing one.
An attacker could add a malicious data to a non-public image where they are authorized to a location for an existing
image, potentially leading to other users of the cloud unknowingly using
the malicious image, given that image is shared with other users.
#3
### Recommended Actions ###
In production clouds the image publish policy should be enabled to
prevent non-admin users publishing images that can be used by other
users of the cloud. This does not mitigate the issue completely but it
does constrain the issue to an individual user. It is still possible
that a workload running under one user could be compromised and in turn
abuse the multiple location feature to compromise other workloads
running under that same user or an innocent error for specifying incorrect location may result into potential data loss for that cloud without consistency of checksum.
The safest course of action is to disable support for multiple locations
by editing glance-api.conf:
---- begin glance-api.conf snippet ----
[DEFAULT]
show_
---- end glance-api.conf snippet ----
---
Thoughts?