yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1545092] Re: Images v2 api image-create vulnerability

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Erno Kuvaja <1545092@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Feb 2021 16:34:43 -0000
Reply-to: Bug 1545092 <1545092@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I think by now this is safe to close as opinion. I don't see us doing
the rate limiting on Glance side, but assume it being done on the
loadbalancer or encryption termination level instead.

** Changed in: glance
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1545092

Title:
  Images v2 api image-create vulnerability

Status in Glance:
  Opinion
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  This report applies to all versions of Glance.

  The POST v2/images call creates an image (record) in 'queued' status.
  There is no limit enforced in glance on the number of images a single
  tenant may create, just on the total amount of storage a single user
  may consume [0].  Thus a user could either maliciously or by mistake
  clog up multiple database tables (images, image_properties,
  image_tags, image_members) with useless image records, thereby causing
  a denial of service.

  This is a concern because the approved 2016.0 DefCore specification
  requires the 'images-v2-index' capability [1, 2].  The tempest test
  for this capability functions by creating several image records and
  then checking the GET v2/images response to make sure all these
  records are returned [3].  Thus any cloud that wishes to qualify under
  2016.01 must expose POST v2/images to all end users, thereby exposing
  such clouds to this vulnerability, which could otherwise be mitigated
  by restricting POST v2/images to trusted users.

  [0] https://github.com/openstack/glance/blob/132906146dd74a2eeae67706e19e4fa44559bb8b/etc/glance-api.conf#L89
  [1] https://github.com/openstack/defcore/blob/master/2016.01.json#L48
  [2] https://github.com/openstack/defcore/blob/master/2016.01.json#L1391-L1412
  [3] https://github.com/openstack/tempest/blob/df88737b9cdaabb5633b4fefb723676e71cd1af0/tempest/api/image/v2/test_images.py#L184-L191

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1545092/+subscriptions