-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Glance configuration option can lead to privilege escalation - ---
### Summary ### Glance exposes a configuration option called `use_user_token` in the configuration file `glance-api.conf`. It should be noted that the default setting (`True`) is secure. If, however, the setting is changed to `False` and valid admin credentials are supplied in the following section (`admin_user` and `admin_password`), Glance API commands will be executed with admin privileges regardless of the intended privilege level of the calling user. ### Affected Services / Software ### Glance, Juno, Kilo, Liberty ### Discussion ### The `use_user_token` configuration option was created to enable automatic re-authentication for tokens whch are close to expiration, thus preventing the tokens from expiring in the middle of longer-lasting Glance commands. Unfortunately the implementation enables privilege escalation attacks by automatically executing API commands as an administrator level user. By default `use_user_token` is set to `True` which is secure. If the option is disabled (set to `False`) and valid admin credentials are specified in the `glance-api.conf` file, API commands will be executed as the supplied admin user regardless of the intended privileges of the calling user. Glance API v2 configurations which don't enable the registry service (`data_api = glance.db.registry.api`) aren't affected. Enabling unauthenticated and lower privileged users to execute Glance commands with administrator privileges is very dangerous and may expose risks including: - tampering with images - deleting images - denial of service attacks ### Recommended Actions ### A comprehensive fix will be included in the Mitaka release. Meanwhile it is recommended that all users ensure that `use_user_token` is left at the default setting (`True`) or commented out. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060 Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448 OpenStack Security Documentation : https://security.openstack.org OpenStack Security Project : https://wiki.openstack.org/wiki/Security Bug Introduction : https://review.openstack.org/#/c/29967/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWplPkAAoJEKVpf4LII88pLSEP/iPNzVeh9RkfwdC7sQFuyrYz jdwckkOvMzYIZj30crop1u2JYenKO6UdXjGrYCJsQqf+WRVpKMZmaEhw3h7w7Mvk w+uJDKHLbiQBMxZUkQAx9rjvuCGI7GEfbByQ0W8JOq79Gm7B/r1ezBozZXYeuqPL sCeUTGpwm+r8ZegNMnFmSKYTa4eH5ZTXoJL7b+5PxS//mbZIPEjhzb7Cyeas4yoe Pft6jrDHirmPqhQ0mR5QG0q/OWLCCTUs5bs8b3sNZ40WH7VHkLeoqAQYkMh7eTs0 5nsADK++qRrgSNE9dqwkP9xp3TH1DuALieQZB13oOTWQRvD5S6jwffqloYA0qX4a Dv4dJkGXPyBxhHcjmwJLZJw/NS2C0mSqSK34WRcBQE20tZExQX0nfrACvF3pLV37 8uQyAZcFg5ltf8BzvxJysoZs1cv8lEml0Xpn0goL2P4JKPcA7Zlr2KF3QcJZX1CS 56xxiKagJvRNUDxiPKMhkjD5azDYqayfeZ4V6KwZizo8lhBcREtogW8IoTuq+ZZu 0SCoPHxerq1kzfAMxXTGFWSOePqHBUvU8gW5LNxTtyXLguUhM7rUATQVL166FOVv 2OPhvUdMwxkHWgXMJrdtkt2aJ47fS+eSJeJofy/bPTD5fS+AzjoenGgq2SToTB1y k74g8yQVdhdSnA7nJP5m =y6vW -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME cryptographic signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev