yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1401170] Re: 0-size images allow unprivileged user to deplete glance resources

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Rosmaita <rosmaita.fossdev@xxxxxxxxx>
Date: Fri, 15 Sep 2017 17:31:07 -0000
Reply-to: Bug 1401170 <1401170@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance
       Status: In Progress => Won't Fix

** Changed in: glance
   Importance: High => Wishlist

** Changed in: glance
     Assignee: Stuart McLaren (stuart-mclaren) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1401170

Title:
  0-size images allow unprivileged user to deplete glance resources

Status in Glance:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Glance allows to create 0-size images ('glance image-create' without
  parameters). Those images do not consume resources of storage backend
  and do not hit any limits for size, but take up space in database.

  Malicious user can cause database resource depletion with endless
  flood of 'image-create'  requests. Because an empty request is small
  it will cause more strain on openstack than on the attacker.

  RateLimit on API requests allows to delay consequences of attack, but
  does not prevent it.

  Here is simple script to run attack:
  while true;do curl -i -X POST  -H 'X-Auth-Token: ***'  http://glance-endpoint:9292/v1/images;done

  My estimation for database  growth is about 1Mb/minute (with extra-
  slow shell-based attack, but a specially crafted script will allow to
  run it with RateLimit speed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1401170/+subscriptions