yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95038
[Bug 2091410] Re: Denial of service by adding an unbounded number of tags to a network
** Description changed:
- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2025-03-10 and will be made
- public by or on that date even if no fix is identified.
-
It appears like users can add as many tags as they like to a neutron
network. It is possible this can lead to a denial of service attack.
How to reproduce:
for i in {1..10000}; do echo "--tag test$i"; done | xargs openstack
network set testnetworkname
expected outcome:
400 Bad request
actual outcome:
it works
While not the biggest of problems, it can be made worse by not patching this CVE:
https://bugs.launchpad.net/neutron/+bug/2088986
In that case, I think an attacker can keep adding lots of tags to a
shared public network, massively increasing the DB size and load over
time. I believe the only access they need is a valid keystone project
scoped token, and they can add tags to a shared public network. It was
trivial to make network show take twice as long with just 20k of tags.
There might be some quota or similar I am missing here?
Nova currently has a hardcoded limit of 50 tags, that are limited in the API layer in a few places, including:
https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/server_tags.py#L126
https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/schemas/server_tags.py#L23
** Information type changed from Private Security to Public
** Tags added: security
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2091410
Title:
Denial of service by adding an unbounded number of tags to a network
Status in neutron:
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
It appears like users can add as many tags as they like to a neutron
network. It is possible this can lead to a denial of service attack.
How to reproduce:
for i in {1..10000}; do echo "--tag test$i"; done | xargs openstack
network set testnetworkname
expected outcome:
400 Bad request
actual outcome:
it works
While not the biggest of problems, it can be made worse by not patching this CVE:
https://bugs.launchpad.net/neutron/+bug/2088986
In that case, I think an attacker can keep adding lots of tags to a
shared public network, massively increasing the DB size and load over
time. I believe the only access they need is a valid keystone project
scoped token, and they can add tags to a shared public network. It was
trivial to make network show take twice as long with just 20k of tags.
There might be some quota or similar I am missing here?
Nova currently has a hardcoded limit of 50 tags, that are limited in the API layer in a few places, including:
https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/server_tags.py#L126
https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/schemas/server_tags.py#L23
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2091410/+subscriptions
