After discussing this in the OSSP meeting, I will mark this as won't fix
for the OSSN, as we already have covered this the recommended actions in
several previous OSSNs. There is also a good amount of info in the
security guide around protecting end points and access controls
available for glance.
** Changed in: ossn
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1649248
Title:
Glance image upload wizard does not restrict invalid image files
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Won't Fix
Bug description:
An unrestricted file upload exists when an application allows users to upload
files without proper validation. glance fails to properly validate image files
across four key factors including file extension, mime-type, size, and upload
frequency. In addition, glance does not appear to scan uploaded files for known
malware.
Failing to restrict file uploads affects the security of the OpenStack
environment in a number of ways. Attacker may commonly use file upload
functionality to upload viruses or malware onto trusted servers. In addition to
spreading malware, attacker can upload source code files (.aspx and .jsp for
example) which may be rendered as valid application pages to end users.
Additionally, if users are able to upload files of any size or at any
frequency, an attacker may abuse this functionality to exhaust the server’s
disk space.
Steps To Reproduce:
1. Login to the OpenStack as an admin
2. Click on Images tab and create a new image by uploading a EICAR text file
with anti-malware string (EICAR anti-malware test file can be downloaded from
http://www.eicar.org/ )
3. Observe that file is uploaded successfully without any pre-checks being
done.
The application should validate uploaded files for type and size, and
limit how often the user is able to perform uploads. The following
validation can be performed:
a) If the application requires uploaded files to be of a specific type such
as img, vmdk, the application should validate the extension.
b) The first four bytes of the file i.e. Magic Numbers can be validated.
These first few bytes are known as the file’s ‘Magic Number’ and will uniquely
identify the file type. For example all PDF files start with the byte-sequence
‘%PDF’.
c) An upper limit on file size can be enforced.
In addition to the primary criteria above, all uploaded files should
be scanned for known malware/viruses.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1649248/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
