<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/index.php?action=history&amp;feed=atom&amp;title=OSSN%2FOSSN-0076</id>
		<title>OSSN/OSSN-0076 - Revision history</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/index.php?action=history&amp;feed=atom&amp;title=OSSN%2FOSSN-0076"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0076&amp;action=history"/>
		<updated>2026-07-08T20:41:23Z</updated>
		<subtitle>Revision history for this page on the wiki</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0076&amp;diff=136631&amp;oldid=prev</id>
		<title>Lhinds at 22:15, 27 October 2016</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0076&amp;diff=136631&amp;oldid=prev"/>
				<updated>2016-10-27T22:15:11Z</updated>
		
		<summary type="html">&lt;p&gt;&lt;/p&gt;
&lt;table class=&quot;diff diff-contentalign-left&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class='diff-marker' /&gt;
				&lt;col class='diff-content' /&gt;
				&lt;col class='diff-marker' /&gt;
				&lt;col class='diff-content' /&gt;
				&lt;tr style='vertical-align: top;' lang='en'&gt;
				&lt;td colspan='2' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;← Older revision&lt;/td&gt;
				&lt;td colspan='2' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;Revision as of 22:15, 27 October 2016&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l1&quot; &gt;Line 1:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 1:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;__NOTOC__&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;__NOTOC__&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;−&lt;/td&gt;&lt;td style=&quot;color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;==Glance Image service v1 and v2 api image-create vulnerability==&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;+&lt;/td&gt;&lt;td style=&quot;color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== Glance Image service v1 and v2 api image-create vulnerability ==&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;−&lt;/td&gt;&lt;td style=&quot;color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;#160;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot;&gt;&amp;#160;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;=== Summary ===&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;=== Summary ===&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;</summary>
		<author><name>Lhinds</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0076&amp;diff=136630&amp;oldid=prev</id>
		<title>Lhinds: Created page with &quot;__NOTOC__  ==Glance Image service v1 and v2 api image-create vulnerability==   === Summary === No limits are enforced within the Glance image service for both v1 and v2 `/imag...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0076&amp;diff=136630&amp;oldid=prev"/>
				<updated>2016-10-27T22:13:38Z</updated>
		
		<summary type="html">&lt;p&gt;Created page with &amp;quot;__NOTOC__  ==Glance Image service v1 and v2 api image-create vulnerability==   === Summary === No limits are enforced within the Glance image service for both v1 and v2 `/imag...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;__NOTOC__&lt;br /&gt;
&lt;br /&gt;
==Glance Image service v1 and v2 api image-create vulnerability==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== Summary ===&lt;br /&gt;
No limits are enforced within the Glance image service for both v1 and&lt;br /&gt;
v2 `/images` API POST method for authenticated users, resulting in&lt;br /&gt;
possible denial of service attacks through database table saturation.&lt;br /&gt;
&lt;br /&gt;
=== Affected Services / Software ===&lt;br /&gt;
All versions of Glance image service.&lt;br /&gt;
&lt;br /&gt;
=== Discussion ===&lt;br /&gt;
Within the Glance image service, calls to the POST method within v1 or&lt;br /&gt;
v2/images creates an image (record) in `queued` status. There is no&lt;br /&gt;
limit enforced within the Glance API on the number of images a single&lt;br /&gt;
tenant may create, just on the total amount of storage a single user may&lt;br /&gt;
consume.&lt;br /&gt;
&lt;br /&gt;
Therefore a user could either maliciously or unintentionally fill&lt;br /&gt;
multiple database tables (images, image_properties, image_tags,&lt;br /&gt;
image_members) with useless image records, thereby causing a denial of&lt;br /&gt;
service by lengthening transaction response times in the Glance database.&lt;br /&gt;
&lt;br /&gt;
=== Recommended Actions ===&lt;br /&gt;
For all versions of Glance that expose either the v1 and v2/images API,&lt;br /&gt;
operators are recommended to deploy external rate-limiting proxies or&lt;br /&gt;
web application firewalls, to provide a front layer of protection to&lt;br /&gt;
glance. The Glance database should be monitored for abnormal growth.&lt;br /&gt;
Although rate-limiting does not eliminate this attack vector, it will&lt;br /&gt;
slow it to the point where you can react prior to a denial of service&lt;br /&gt;
occurring.&lt;br /&gt;
&lt;br /&gt;
The following solutions may be considered, however it is key that the&lt;br /&gt;
operator carefully plans and considers the individual performance needs&lt;br /&gt;
of users and services within their OpenStack cloud, when configuring any&lt;br /&gt;
rate limiting functionality.&lt;br /&gt;
&lt;br /&gt;
==== Repose ====&lt;br /&gt;
Repose provides a rate limiting filter, that can utilise limits by IP,&lt;br /&gt;
Role (OpenStack Identity v3 filter) or header.&lt;br /&gt;
&lt;br /&gt;
https://repose.atlassian.net/wiki/display/REPOSE/Rate+Limiting+Filter&lt;br /&gt;
&lt;br /&gt;
==== NGINX ====&lt;br /&gt;
NGINX provides the limit_req_module, which can be used to provide a&lt;br /&gt;
global rate&lt;br /&gt;
limit. By means of a `map`, it can be limited to just the POST method.&lt;br /&gt;
&lt;br /&gt;
Further details can be found on the nginx site:&lt;br /&gt;
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html&lt;br /&gt;
&lt;br /&gt;
==== HAProxy ====&lt;br /&gt;
HAProxy can provide inherent rate-limiting using stick-tables with a General&lt;br /&gt;
Purpose Counter (gpc)&lt;br /&gt;
&lt;br /&gt;
Further details can be found on the haproxy website:&lt;br /&gt;
&lt;br /&gt;
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos&lt;br /&gt;
&lt;br /&gt;
==== Apache ====&lt;br /&gt;
A number of solutions can be explored here as follows.&lt;br /&gt;
&lt;br /&gt;
===== mod_ratelimit =====&lt;br /&gt;
http://httpd.apache.org/docs/2.4/mod/mod_ratelimit.html&lt;br /&gt;
&lt;br /&gt;
===== mod_qos =====&lt;br /&gt;
http://opensource.adnovum.ch/mod_qos/dos.html&lt;br /&gt;
&lt;br /&gt;
===== mod_evasive =====&lt;br /&gt;
https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7&lt;br /&gt;
&lt;br /&gt;
===== mod_security =====&lt;br /&gt;
https://www.modsecurity.org/&lt;br /&gt;
&lt;br /&gt;
=== Limit `add_image` to admin role ===&lt;br /&gt;
&lt;br /&gt;
Another possible mitigation is to restrict image creation to the admin&lt;br /&gt;
role, however this should only be done for those cases in which there&lt;br /&gt;
are Glance nodes dedicated to end-user access only. Restriction to admin&lt;br /&gt;
only on Glance nodes that serve OpenStack services will for example,&lt;br /&gt;
remove the ability to create snapshots from the Compute API or to create&lt;br /&gt;
bootable volumes from Cinder.&lt;br /&gt;
&lt;br /&gt;
To restrict image creation to the role admin only, amend&lt;br /&gt;
`/etc/glance/policy.json` accordingly.&lt;br /&gt;
&lt;br /&gt;
    &amp;quot;add_image&amp;quot;: &amp;quot;role:admin&amp;quot;,&lt;br /&gt;
&lt;br /&gt;
===  Contacts / References ===&lt;br /&gt;
Author: Luke Hinds, Red Hat&lt;br /&gt;
&lt;br /&gt;
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0076&lt;br /&gt;
&lt;br /&gt;
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1545092&lt;br /&gt;
&lt;br /&gt;
OpenStack Security ML : openstack-security@lists.openstack.org&lt;br /&gt;
&lt;br /&gt;
OpenStack Security Group : https://launchpad.net/~openstack-ossg&lt;/div&gt;</summary>
		<author><name>Lhinds</name></author>	</entry>

	</feed>