| 2014-12-10 16:36:44 |
George Shuklin |
bug |
|
|
added bug |
| 2014-12-10 16:37:20 |
George Shuklin |
description |
Glance allows to create 0-sized images ('glance image-create' without parameters). Those images does not consume resources of storage backend and does not hit any limits for size, but taking space in database.
Malicious user can cause database resource depletion with endless flood of 'image-create' requests. Because request is small it cause more strain on openstack than on attacker.
Ratelimit on API requests allows delay consequences of attack, but does not prevent it.
Here simple script to run attack:
while true;do curl -i -X POST -H 'X-Auth-Token: ***' http://glance-endpoint:9292/v1/images;done
My estimation is database growth about 1Mb/minute (with extra-slow shell-based attack, crafted script will allow run it with RateLimit speed). |
Glance allows to create 0-sized images ('glance image-create' without parameters). Those images does not consume resources of storage backend and does not hit any limits for size, but taking space in database.
Malicious user can cause database resource depletion with endless flood of 'image-create' requests. Because request is small it cause more strain on openstack than on attacker.
Ratelimit on API requests allows delay consequences of attack, but does not prevent it.
Here simple script to run attack:
while true;do curl -i -X POST -H 'X-Auth-Token: ***' http://glance-endpoint:9292/v1/images;done
My estimation for database growth about 1Mb/minute (with extra-slow shell-based attack, crafted script will allow run it with RateLimit speed). |
|
| 2014-12-10 16:43:12 |
George Shuklin |
description |
Glance allows to create 0-sized images ('glance image-create' without parameters). Those images does not consume resources of storage backend and does not hit any limits for size, but taking space in database.
Malicious user can cause database resource depletion with endless flood of 'image-create' requests. Because request is small it cause more strain on openstack than on attacker.
Ratelimit on API requests allows delay consequences of attack, but does not prevent it.
Here simple script to run attack:
while true;do curl -i -X POST -H 'X-Auth-Token: ***' http://glance-endpoint:9292/v1/images;done
My estimation for database growth about 1Mb/minute (with extra-slow shell-based attack, crafted script will allow run it with RateLimit speed). |
Glance allows to create 0-size images ('glance image-create' without parameters). Those images do not consume resources of storage backend and do not hit any limits for size, but take up space in database.
Malicious user can cause database resource depletion with endless flood of 'image-create' requests. Because an empty request is small it will cause more strain on openstack than on the attacker.
RateLimit on API requests allows to delay consequences of attack, but does not prevent it.
Here is simple script to run attack:
while true;do curl -i -X POST -H 'X-Auth-Token: ***' http://glance-endpoint:9292/v1/images;done
My estimation for database growth is about 1Mb/minute (with extra-slow shell-based attack, but a specially crafted script will allow to run it with RateLimit speed). |
|
| 2014-12-10 16:43:20 |
George Shuklin |
summary |
0-sized images allow unpriveleged user to deplete glance resources |
0-size images allow unprivileged user to deplete glance resources |
|
| 2014-12-10 16:47:05 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2014-12-10 16:47:11 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2014-12-10 16:49:02 |
Grant Murphy |
bug |
|
|
added subscriber Glance Core security contacts |
| 2014-12-10 18:26:23 |
Flavio Percoco |
glance: status |
New |
Invalid |
|
| 2014-12-11 16:51:12 |
Thierry Carrez |
bug |
|
|
added subscriber OSSG CoreSec |
| 2014-12-12 13:19:19 |
Flavio Percoco |
glance: status |
Invalid |
New |
|
| 2014-12-14 20:05:51 |
Stuart McLaren |
glance: assignee |
|
Stuart McLaren (stuart-mclaren) |
|
| 2014-12-14 20:06:31 |
Stuart McLaren |
glance: status |
New |
In Progress |
|
| 2014-12-22 15:31:23 |
Thierry Carrez |
bug task added |
|
ossn |
|
| 2014-12-22 15:31:49 |
Thierry Carrez |
information type |
Private Security |
Public Security |
|
| 2014-12-24 13:27:43 |
George Shuklin |
attachment added |
|
melt.py https://bugs.launchpad.net/glance/+bug/1401170/+attachment/4286973/+files/melt.py |
|
| 2015-01-12 15:34:46 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Won't Fix |
|
| 2015-01-23 22:27:59 |
Nikhil Komawar |
bug |
|
|
added subscriber nikhil komawar |
| 2015-09-02 21:46:13 |
Grant Murphy |
ossn: assignee |
|
Grant Murphy (gmurphy) |
|
| 2015-09-02 22:41:57 |
Grant Murphy |
ossn: status |
New |
Fix Committed |
|
| 2015-09-02 23:10:27 |
Eric Brown |
ossn: assignee |
Grant Murphy (gmurphy) |
Eric Brown (ericwb) |
|
| 2015-10-07 01:28:01 |
Nikhil Komawar |
glance: importance |
Undecided |
High |
|
| 2015-10-15 22:13:18 |
Nathan Kinder |
ossn: status |
Fix Committed |
Fix Released |
|
| 2017-09-15 17:31:07 |
Brian Rosmaita |
glance: status |
In Progress |
Won't Fix |
|
| 2017-09-15 17:31:14 |
Brian Rosmaita |
glance: importance |
High |
Wishlist |
|
| 2017-09-15 17:31:19 |
Brian Rosmaita |
glance: assignee |
Stuart McLaren (stuart-mclaren) |
|
|
