StarlingX

  1. Bug #1993606
  2. Comment #2

Comment 2 for bug 1993606

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-armada-app (master)

Reviewed: https://review.opendev.org/c/starlingx/openstack-armada-app/+/899419
Committed: https://opendev.org/starlingx/openstack-armada-app/commit/57bb421e85de6a223fb687c8dd628e41072c09e1
Submitter: "Zuul (22348)"
Branch: master

commit 57bb421e85de6a223fb687c8dd628e41072c09e1
Author: Lucas de Ataides <email address hidden>
Date: Thu Oct 26 13:47:28 2023 -0300

    Update Glance config according to OSSN-0090

    The security note OSSN-0090 [1] from Openstack describes a
    configuration that makes it possible to open some known attack vectors
    by which malicious data modification can occur.

    The vulnerability only occurs if one of the following parameters are
    set to True in Glance's configuration: `show_multiple_locations` or
    `show_image_direct_url`. In the case of the STX-Openstack app, the
    `show_image_direct_url` was being set to True in the app's plugin [2].

    It looks like this configuration was just transported from when the
    app's plugin was dettached from sysinv [3], which itself, was based on
    an even older commit [4]. Unfortunately, the commit message of [4] has
    no explanation on why this was required.

    This commit changes the app's plugin to define both the
    `show_image_direct_url` and the `show_multiple_locations` parameters to
    `False`, since we can easily avoid the security issue described in [1]
    by doing that, and it does not impact on the applications
    functionalities, as seen in the test plan for this change.

    [1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090
    [2] https://opendev.org/starlingx/openstack-armada-app/src/branch/master/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py#L155
    [3] https://review.opendev.org/c/starlingx/openstack-armada-app/+/688190
    [4] https://review.opendev.org/c/starlingx/config/+/611948

    Test Plan:
    PASS: Build python3-k8sapp-openstack and stx-openstack-helmf-fluxcd
          packages
    PASS: Build STX-Openstack helm charts
    PASS: Upload / apply / remove STX-Openstack app
    PASS: Inspection of /etc/glance/glance-api.conf shows that both the
          show_multiple_locations and show_image_direct_url parameters are
          set to `False`

    Using OpenStack's CLI:
        PASS: Image commands are executed as expected: `openstack image
              list`, `openstack image show`
        PASS: Create an image
        PASS: Delete an image
        PASS: Create a bootable volume from an image
        PASS: Boot a VM using an image as the source
        PASS: Boot a VM using the bootable volume as a source
        PASS: Delete both VMs and the volume

    Using Horizon dashboard:
        PASS: All tenants are able to see and inspect images
        PASS: Create an image
        PASS: Delete an image
        PASS: Create a bootable volume from an image
        PASS: Boot a VM using an image as the source
        PASS: Boot a VM using the bootable volume as a source
        PASS: Delete both VMs and the volume

    Closes-Bug: 1993606

    Change-Id: I20f241224234353363c632085e3e41b91f97abf5
    Signed-off-by: Lucas de Ataides <email address hidden>