Image data stays in store (filesystem store) if image is deleted after staging call
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Glance |
Fix Released
|
Critical
|
Abhishek Kekane | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Trying to delete image after staging call image gets deleted from the database, but image data remains in the backend ('/tmp/staging' directory).
NOTE: This issue will occur only if image-import is enabled in the deployment i.e. 'enable_
Steps to reproduce:
1. Create image
$ glance image-create --container-format ami --disk-format ami --name test_image
2. Add image to staging area using stage call
$ glance image-stage <IMAGE_ID>
3. Verify that image is uploaded to staging area i.e. in '/tmp/staging' area
$ ls -la /tmp/staging/
Output: -rw-r--r--. 1 centos centos 313 Nov 20 09:05 /tmp/staging/
4. Delete the image
$ glance image-delete <IMAGE_ID>
5. Verify image-list does not show deleted image
$ glance image-list
6. Verify that image is still present in staging area i.e. in '/tmp/staging' area
$ ls -la /tmp/staging/
Output: -rw-r--r--. 1 centos centos 313 Nov 20 09:05 /tmp/staging/
Image gets deleted from the database but image data presents in the staging area i.e. in '/tmp/staging' directory.
Actually after deleting the image after staging call it should be cleared from staging area as well.
Attack scenario here is to create/stage/delete a lot of large size images using DoS the temporary image backend by filling it up.
| Tristan Cacqueray (tristan-cacqueray) wrote | #1 |
| description: | updated |
| Changed in ossa: | |
| status: | New → Incomplete |
| Brian Rosmaita (brian-rosmaita) wrote | #2 |
| Jeremy Stanley (fungi) wrote | #3 |
| Changed in ossa: | |
| status: | Incomplete → Won't Fix |
| description: | updated |
| Brian Rosmaita (brian-rosmaita) wrote | #4 |
| Jeremy Stanley (fungi) wrote | #5 |
| information type: | Private Security → Public |
| tags: | added: security |
| Changed in glance: | |
| assignee: | nobody → Abhishek Kekane (abhishek-kekane) |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to glance (master) | #6 |
| Changed in glance: | |
| status: | New → In Progress |
| Changed in glance: | |
| milestone: | none → queens-2 |
| importance: | Undecided → High |
| Brian Rosmaita (brian-rosmaita) wrote | #7 |
| Changed in glance: | |
| importance: | High → Critical |
| milestone: | queens-2 → queens-3 |
| Changed in glance: | |
| milestone: | queens-3 → queens-rc1 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to glance (master) | #8 |
| Changed in glance: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/glance 16.0.0.0rc1 | #9 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.