yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2091410] Re: Denial of service by adding an unbounded number of tags to a network

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2091410@xxxxxxxxxxxxxxxxxx>
Date: Wed, 29 Jan 2025 13:36:48 -0000
Reply-to: Bug 2091410 <2091410@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/937887
Committed: https://opendev.org/openstack/neutron/commit/810b224b9139b2696221a0420ece4b9123aaec29
Submitter: "Zuul (22348)"
Branch:    master

commit 810b224b9139b2696221a0420ece4b9123aaec29
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Tue Dec 17 16:13:16 2024 +0100

    Add limit of tags for every resource
    
    There is now limit of 50 tags which can be created for every single resource.
    Limit of 50 was choosen as this should be enough for every use case.
    Also e.g. Nova already have limit of 50 tags for server implemented so
    with such limit Neutron will be consistent with Nova in that.
    
    Closes-Bug: #2091410
    Change-Id: I9b87d0425ac0dfdde75d2dd661f02d7124ea4f8b


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2091410

Title:
  Denial of service by adding an unbounded number of tags to a network

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  It appears like users can add as many tags as they like to a neutron
  network. It is possible this can lead to a denial of service attack.

  How to reproduce:

  for i in {1..10000}; do echo "--tag test$i"; done | xargs openstack
  network set testnetworkname

  expected outcome:
  400 Bad request

  actual outcome:
  it works

  While not the biggest of problems, it can be made worse by not patching this CVE:
  https://bugs.launchpad.net/neutron/+bug/2088986

  In that case, I think an attacker can keep adding lots of tags to a
  shared public network, massively increasing the DB size and load over
  time. I believe the only access they need is a valid keystone project
  scoped token, and they can add tags to a shared public network. It was
  trivial to make network show take twice as long with just 20k of tags.

  There might be some quota or similar I am missing here?

  Nova currently has a hardcoded limit of 50 tags, that are limited in the API layer in a few places, including:
  https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/server_tags.py#L126
  https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/schemas/server_tags.py#L23

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2091410/+subscriptions