StarlingX

Openstack Security Notice: OSSN-0090: glance configuration with COW backends

Bug #1993606 reported by Ghada Khalil
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Lucas de Ataides Barreto

Bug Description

Brief Description
-----------------
There is a new Openstack security notice: https://wiki.openstack.org/wiki/OSSN/OSSN-0090 for Glance that describes a configuration that is impacting the Openstack releases 'Queens' through 'Zed', so it includes the starlingx current version Ussuri.

Checking the glance-api.conf file was confirmed that this is a security note that affects the current starlingx configuration, so we need to follow the proposed steps to secure it or review our use of "show_image_direct_url=true".

Severity
---------
Medium: Security Issue

Steps to Reproduce
------------------
N/A

Expected Behavior
-----------------
N/A

Actual Behavior
-----------------
N/A

Reproducibility
-----------------
Reproducible

System Configuration
-----------------
N/A

Load info (eg: 2022-03-10_20-00-07)
-----------------
stx main branch

Last Pass
---------
N/A

Timestamp/Logs
--------------
$ kubectl -n openstack exec -it glance-api-7fc79d67cd-gq4h7 – bash
$ cat /etc/glance/glance-api.conf | grep show_multiple_locations
$ cat /etc/glance/glance-api.conf | grep show_image_direct_url
show_image_direct_url = true

Test Activity
-------------
Security vulnerabilities review

Workaround
----------
None

Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Thales Elero Cervi (tcervi)
status: New → Triaged
importance: Undecided → Medium
tags: added: stx.distro.openstack
tags: added: stx.8.0
tags: added: stx.security
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Medium → Low
tags: removed: stx.8.0
Ghada Khalil (gkhalil)
information type: Public → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-armada-app (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/openstack-armada-app/+/899419

Changed in starlingx:
status: Triaged → In Progress
Lucas de Ataides Barreto (ldeataid)
Changed in starlingx:
assignee: Thales Elero Cervi (tcervi) → Lucas de Ataides Barreto (ldeataid)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-armada-app (master)
Download full text (3.2 KiB)

Reviewed: https://review.opendev.org/c/starlingx/openstack-armada-app/+/899419
Committed: https://opendev.org/starlingx/openstack-armada-app/commit/57bb421e85de6a223fb687c8dd628e41072c09e1
Submitter: "Zuul (22348)"
Branch: master

commit 57bb421e85de6a223fb687c8dd628e41072c09e1
Author: Lucas de Ataides <email address hidden>
Date: Thu Oct 26 13:47:28 2023 -0300

    Update Glance config according to OSSN-0090

    The security note OSSN-0090 [1] from Openstack describes a
    configuration that makes it possible to open some known attack vectors
    by which malicious data modification can occur.

    The vulnerability only occurs if one of the following parameters are
    set to True in Glance's configuration: `show_multiple_locations` or
    `show_image_direct_url`. In the case of the STX-Openstack app, the
    `show_image_direct_url` was being set to True in the app's plugin [2].

    It looks like this configuration was just transported from when the
    app's plugin was dettached from sysinv [3], which itself, was based on
    an even older commit [4]. Unfortunately, the commit message of [4] has
    no explanation on why this was required.

    This commit changes the app's plugin to define both the
    `show_image_direct_url` and the `show_multiple_locations` parameters to
    `False`, since we can easily avoid the security issue described in [1]
    by doing that, and it does not impact on the applications
    functionalities, as seen in the test plan for this change.

    [1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090
    [2] https://opendev.org/starlingx/openstack-armada-app/src/branch/master/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py#L155
    [3] https://review.opendev.org/c/starlingx/openstack-armada-app/+/688190
    [4] https://review.opendev.org/c/starlingx/config/+/611948

    Test Plan:
    PASS: Build python3-k8sapp-openstack and stx-openstack-helmf-fluxcd
          packages
    PASS: Build STX-Openstack helm charts
    PASS: Upload / apply / remove STX-Openstack app
    PASS: Inspection of /etc/glance/glance-api.conf shows that both the
          show_multiple_locations and show_image_direct_url parameters are
          set to `False`

    Using OpenStack's CLI:
        PASS: Image commands are executed as expected: `openstack image
              list`, `openstack image show`
        PASS: Create an image
        PASS: Delete an image
        PASS: Create a bootable volume from an image
        PASS: Boot a VM using an image as the source
        PASS: Boot a VM using the bootable volume as a source
        PASS: Delete both VMs and the volume

    Using Horizon dashboard:
        PASS: All tenants are able to see and inspect images
        PASS: Create an image
        PASS: Delete an image
        PASS: Create a bootable volume from an image
        PASS: Boot a VM using an image as the source
        PASS: Boot a VM using the bootable volume as a source
        PASS: Delete both VMs and the volume

    Closes-Bug: 1993606

    Change-Id: I20f241224234353363c632085e3e41b91f97abf5
    Signed-off-by: Lucas de Ataides <lucas.deata...

Read more...

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.9.0
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.