[Yahoo-eng-team] [Bug 1498163] Re: [OSSA 2015-020] Glance storage quota bypass when token is expired (CVE-2015-5286)

Thu, 21 Jan 2016 12:27:18 -0800 

** Also affects: glance/kilo
   Importance: Undecided
       Status: New

** Changed in: glance/kilo
       Status: New => Fix Committed

** Changed in: glance/kilo
    Milestone: None => 2015.1.3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1498163

Title:
  [OSSA 2015-020] Glance storage quota bypass when token is expired
  (CVE-2015-5286)

Status in Glance:
  Fix Released
Status in Glance juno series:
  Fix Released
Status in Glance kilo series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  About a year ago it was a vulnerability called 'Glance user storage quota 
bypass': https://security.openstack.org/ossa/OSSA-2015-003.html, where any user 
could overcome the quota and clog up the storage.
  The fix was proposed in master and all other stable branches, but it turned 
out, that it doesn't completely remove the issue and any user still can exceed 
the quota.

  It happens in case if user token is expired during file upload and
  when glance tries to update image status from 'saving' to 'active'.
  Then glance gets Unauthenticated exception from registry server and
  fails with 500 error. On the other side garbage file is left in
  storage.

  Steps to reproduce mostly coincide with the related from the previous bug, 
but in general it is:
  1. Set some value (like 1Gb) to user_storage_quota in glance-api.conf and 
restart the server.
  2. Make sure that your token will expire soon, when you'll be able to create 
an image instance in DB and begin the upload, but the token will expire during 
it.
  3. Create an image, begin the upload and quickly remove the image with 
'glance image-delete'.
  4. After the upload check that image is not in the list, i.e. it's deleted, 
and file is still located in the store.
  5. Perform steps 2-4 several times to make sure that user quota is exceeded.

  Related script (test_images.py from here
  https://bugs.launchpad.net/glance/+bug/1398830) works fine, too, but
  it's better to reduce token life time in keystone config to 1 or 2
  minutes, just for not to wait for one hour.

  Glance api v2 is affected as well, but only if registry db_api is
  enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1498163/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to