Comment 0 for bug 1401170
Revision history for this message
| George Shuklin (george-shuklin) wrote 0-sized images allow unpriveleged user to deplete glance resources | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Glance allows to create 0-sized images ('glance image-create' without parameters). Those images does not consume resources of storage backend and does not hit any limits for size, but taking space in database.
Malicious user can cause database resource depletion with endless flood of 'image-create' requests. Because request is small it cause more strain on openstack than on attacker.
Ratelimit on API requests allows delay consequences of attack, but does not prevent it.
Here simple script to run attack:
while true;do curl -i -X POST -H 'X-Auth-Token: ***' http://
My estimation is database growth about 1Mb/minute (with extra-slow shell-based attack, crafted script will allow run it with RateLimit speed).