yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #45030
[Bug 1498163] Re: [OSSA 2015-020] Glance storage quota bypass when token is expired (CVE-2015-5286)
** Also affects: glance/kilo
Importance: Undecided
Status: New
** Changed in: glance/kilo
Status: New => Fix Committed
** Changed in: glance/kilo
Milestone: None => 2015.1.3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1498163
Title:
[OSSA 2015-020] Glance storage quota bypass when token is expired
(CVE-2015-5286)
Status in Glance:
Fix Released
Status in Glance juno series:
Fix Released
Status in Glance kilo series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Bug description:
About a year ago it was a vulnerability called 'Glance user storage quota bypass': https://security.openstack.org/ossa/OSSA-2015-003.html, where any user could overcome the quota and clog up the storage.
The fix was proposed in master and all other stable branches, but it turned out, that it doesn't completely remove the issue and any user still can exceed the quota.
It happens in case if user token is expired during file upload and
when glance tries to update image status from 'saving' to 'active'.
Then glance gets Unauthenticated exception from registry server and
fails with 500 error. On the other side garbage file is left in
storage.
Steps to reproduce mostly coincide with the related from the previous bug, but in general it is:
1. Set some value (like 1Gb) to user_storage_quota in glance-api.conf and restart the server.
2. Make sure that your token will expire soon, when you'll be able to create an image instance in DB and begin the upload, but the token will expire during it.
3. Create an image, begin the upload and quickly remove the image with 'glance image-delete'.
4. After the upload check that image is not in the list, i.e. it's deleted, and file is still located in the store.
5. Perform steps 2-4 several times to make sure that user quota is exceeded.
Related script (test_images.py from here
https://bugs.launchpad.net/glance/+bug/1398830) works fine, too, but
it's better to reduce token life time in keystone config to 1 or 2
minutes, just for not to wait for one hour.
Glance api v2 is affected as well, but only if registry db_api is
enabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1498163/+subscriptions