[OSSA 2014-028] image_size_cap not checked in v2 (CVE-2014-5356)

I'm wondering if there's a security aspect to this?

If it's possible to upload an image of unrestricted length and then create multiple compute instances using that image there is the possibility that the filesystem on the nova compute nodes will fill up, preventing further instances from being created.

Once public, always public

Clear DoS, should probably be an OSSA as it's a code defect in OpenStack. OSSN would simply recommend caution around image who you allow to upload images.

How would this allow one to fill up the Nova compute nodes? Wouldn't the instance flavors still control the amount of disk that is used?

I could see this allowing one to fill up the backend storage used by Glance, though user_storage_quota should allow one to prevent this. The quota isn't set by default, but that could be recommended in an OSSN. The defaults for these values are as follows:

  image_size_cap = 1099511627776 (1TB)
  user_storage_quota = 0 (unlimited)

If I understand the way these values are intended to work correctly, one would be able to fill up Glance's backend storage by simply adding many images that are under the image_size_cap with the default settings. The fact that the cap is broken just means that one could add a lower number of larger images to fill up Glance's storage than they would if the cap was functioning properly.

Hi Arnaud,

We have a patch up for this: https://review.openstack.org/#/c/91764/

Oh ok :) thanks!

I think this warrants an OSSA, even if the Nova impact is yet unclear.

This vulnerability seems to be introduced in Grizzly at least, and as we don't support grizzly anymore we'll mark every versions up to 2013.2.3 affected.

Here is impact description draft #1:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1

Description:
Thomas Leaman from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration is not honored. This may prevent further image upload and/or cause service disruption. Only setups using Glance image service are affected.

Impact description looks fine. A couple of grammatical problems maybe.

e.g. Should 'upload' be 'uploads' in "This may prevent further image upload"?

Thanks Tristan, couple of things:

1) Only the Glance v2 api is affected (v1 is not)
2) I think image 'import' is not affected -- it may be worth explicitly stating this, as import/upload
are similar functionality.
3) Is it possible/appropriate to put my name as well as Thomas's? (If not, no big deal!)

@Grant, Thanks for the typo :)

@Stuart, Thanks for the comments!
It is appropriate to mention you as a reporter, you are right, my bad!

Here is impact description draft #2:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.1

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected.

Thanks Tristan. :-)

> All Glance setups using API v2 are affected.

It's possible to restrict/disable image upload using a policy, if you've done that you won't be affected even if you're using v2. Not sure if that's worth mentioning or is too much detail.

configuration -> configuration option
Maybe add "(unless you use a policy to restrict/disable image upload)" at the end to cover for Stuart's remark

Thanks for the review, it now cover Stuart's comment #12,

Here is impact description draft #3:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.1

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload).

nitpick: "configuration" -> "configuration option"
Otherwise looks good.

Thanks ttx!

Here is impact description draft #4:

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.1

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration option is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload).

lgtm!

impactdesc +1

Tristan's latest draft impact description in comment #16 looks good to me.

Patch for this is still pretty much in progress. Any hope for an update there ?

Reviewed: https://review.openstack.org/91764
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=92ab00fca6926eaf3f7f92a955a5e07140063718
Submitter: Jenkins
Branch: master

commit 92ab00fca6926eaf3f7f92a955a5e07140063718
Author: Tom Leaman <email address hidden>
Date: Fri May 2 10:09:20 2014 +0000

    Enforce image_size_cap on v2 upload

    image_size_cap should be checked and enforced on upload

    Enforcement is in two places:
    - on image metadata save
    - during image save to backend store

    Closes-Bug: 1315321
    Change-Id: I45bfb360703617bc394e9e27fe17adf43b09c0e1
    Co-Author: Manuel Desbonnet <email address hidden>

Backports submitted:
* icehouse: https://review.openstack.org/c/115280
* havana: https://review.openstack.org/115289

Reviewed: https://review.openstack.org/115280
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=31a4d1852a0c27bac5757c192f300f051229a312
Submitter: Jenkins
Branch: stable/icehouse

commit 31a4d1852a0c27bac5757c192f300f051229a312
Author: Tom Leaman <email address hidden>
Date: Fri May 2 10:09:20 2014 +0000

    Enforce image_size_cap on v2 upload

    image_size_cap should be checked and enforced on upload

    Enforcement is in two places:
    - on image metadata save
    - during image save to backend store

    (cherry picked from commit 92ab00fca6926eaf3f7f92a955a5e07140063718)
    Conflicts:
     glance/location.py
     glance/tests/functional/v2/test_images.py

    Closes-Bug: 1315321
    Change-Id: I45bfb360703617bc394e9e27fe17adf43b09c0e1
    Co-Author: Manuel Desbonnet <email address hidden>

Reviewed: https://review.openstack.org/115289
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=12f43cfed5a47cd16f08b7dad2424da0fc362e47
Submitter: Jenkins
Branch: stable/havana

commit 12f43cfed5a47cd16f08b7dad2424da0fc362e47
Author: Tom Leaman <email address hidden>
Date: Fri May 2 10:09:20 2014 +0000

    Enforce image_size_cap on v2 upload

    image_size_cap should be checked and enforced on upload

    Enforcement is in two places:
    - on image metadata save
    - during image save to backend store

    (cherry picked from commit 92ab00fca6926eaf3f7f92a955a5e07140063718)
    Conflicts:
     glance/location.py
     glance/tests/functional/v2/test_images.py
     glance/tests/unit/test_store_image.py

    Closes-Bug: 1315321
    Change-Id: I45bfb360703617bc394e9e27fe17adf43b09c0e1
    Co-Author: Manuel Desbonnet <email address hidden>