[OSSN-0088] Glance leaks resource types across namespaces

Bug #1916922 reported by Lance Bragstad
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Undecided
Unassigned
OpenStack Security Advisory
Undecided
Unassigned
OpenStack Security Notes
Critical
Abhishek Kekane

Bug Description

As a user of a project, I can see resource types associated to private namespaces I don't have access to:

╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ cat alicerc
export OS_CACERT=
export OS_PROJECT_NAME=separate
export OS_USERNAME=alice
export OS_PASSWORD=password
export OS_REGION_NAME=RegionOne
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://192.168.1.155/identity
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_VOLUME_API_VERSION=3
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-list
+------------------------------------------+
| namespace |
+------------------------------------------+
| OS::Software::DBMS |
| CIM::ResourceAllocationSettingData |
| OS::Compute::CPUPinning |
| OS::Compute::Watchdog |
| OS::Compute::GuestMemoryBacking |
| OS::Compute::AggregateDiskFilter |
| OS::Compute::RandomNumberGenerator |
| OS::Compute::Hypervisor |
| OS::Compute::AggregateIoOpsFilter |
| OS::Compute::VirtCPUTopology |
| OS::Compute::HostCapabilities |
| CIM::ProcessorAllocationSettingData |
| OS::Compute::GuestShutdownBehavior |
| OS::Cinder::Volumetype |
| OS::Software::WebServers |
| OS::Compute::Libvirt |
| OS::Compute::XenAPI |
| OS::Compute::Quota |
| OS::Compute::VMwareFlavor |
| OS::Compute::VMwareQuotaFlavor |
| OS::Compute::InstanceData |
| OS::Compute::LibvirtImage |
| OS::Compute::AggregateNumInstancesFilter |
| OS::Glance::Signatures |
| CIM::VirtualSystemSettingData |
| CIM::StorageAllocationSettingData |
| OS::Software::Runtimes |
| OS::Compute::VMware |
+------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-create alice-namespace
+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| created_at | 2021-02-25T15:55:55Z |
| namespace | alice-namespace |
| owner | 67f1495e5dc145abbfa7059c63c6eda2 |
| protected | False |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T15:55:55Z |
| visibility | private |
+------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name alice-resource-type alice-namespace
+------------+----------------------+
| Property | Value |
+------------+----------------------+
| created_at | 2021-02-25T15:57:29Z |
| name | alice-resource-type |
| updated_at | 2021-02-25T15:57:29Z |
+------------+----------------------+

Now as a separate user

╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
is_service_enabled:29: command not found: set +o xtrace
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-list
+---------------------+
| name |
+---------------------+
| OS::Glance::Image |
| OS::Cinder::Volume |
| OS::Nova::Server |
| OS::Nova::Aggregate |
| OS::Nova::Flavor |
| OS::Trove::Instance |
| bar |
| test |
| alice-resource-type |
+---------------------+

description: updated
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I'm opening this as a security vulnerability based on conversations with jokke

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

It has come to my attention that Dan Smith was also aware of this report, so I have subscribed him after discussing with Lance.

Revision history for this message
Dan Smith (danms) wrote :

I added my feeling on how we should handle this on the related bug here:

https://bugs.launchpad.net/glance/+bug/1916926/comments/3

Revision history for this message
Jeremy Stanley (fungi) wrote :

Thanks! If we go with that plan, I recommend a single security advisory which covers all related vulnerabilities (it may wind up with multiple CVE assignments for each problem addressed, but that's not too unusual).

Revision history for this message
Dan Smith (danms) wrote :

Indeed, I think a single advisory for "this whole corner of the API has fundamental issues and should be disabled or handled with care" makes perfect sense.

Revision history for this message
Jeremy Stanley (fungi) wrote :

We'll be switching this bug public shortly along with bug 1916926 under a single publication (OSSN-0088).

description: updated
information type: Private Security → Public
Jeremy Stanley (fungi)
summary: - Glance leaks resource types across namespaces
+ [OSSN-0088] Glance leaks resource types across namespaces
Changed in ossa:
status: Incomplete → Won't Fix
Changed in ossn:
importance: Undecided → Critical
status: New → Fix Released
assignee: nobody → Abhishek Kekane (abhishek-kekane)
tags: added: security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Recommendations are now published here: https://wiki.openstack.org/wiki/OSSN/OSSN-0088

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers