Jump to: navigation, search

OSSN/OSSN-0088

< OSSN
Revision as of 15:50, 9 March 2021 by Konanabhi (talk | contribs) (Contacts / References)

Some of the Glance metadef APIs likely to leak resources

Summary

Metadef APIs are vulnerable and potentially leaking information to unauthorized users and also there is currently no limit on creation of metadef namespaces, objects, properties, resources and tags. This can be abused by malicious users to fill the Glance database resulting in a Denial of Service (DoS) condition.

Affected Services / Software

Glance

Discussion

There is no restriction on creation of metadef namespaces, objects, properties, resources and tags as well as it could also leak the information to unauthorized users or to the users outside of the project. By taking advantage of this lack of restrictions around metadef APIs, a a single user could fill the Glance database by creating unlimited resources, resulting in a Denial Of Service (DoS) style attack.

Glance does allow metadef APIs to be controlled by policy. However, the default policy setting for metadef APIs allows all users to create or read the metadef information.

Because metadef resources are not properly isolated to the owner, any use of them with potentially sensitive names (such as internal infrastructure details, customer names, etc) could unintentionally expose that information to a malicious user.

Recommended Actions

Since these fundamental issues have been present since the API was introduced, the Glance project is recommending operators disable all metadef APIs by default in their deployments.

Here is an example of disabling the metadef APIs in the deployments for current stable OpenStack releases either in policy.json or policy.yaml.

---- begin example policy.json/policy.yaml snippet ----
"metadef_default": "!",

"get_metadef_namespace": "rule:metadef_default",
"get_metadef_namespaces": "rule:metadef_default",
"modify_metadef_namespace": "rule:metadef_default",
"add_metadef_namespace": "rule:metadef_default",

"get_metadef_object": "rule:metadef_default",
"get_metadef_objects": "rule:metadef_default",
"modify_metadef_object": "rule:metadef_default",
"add_metadef_object": "rule:metadef_default",

"list_metadef_resource_types": "rule:metadef_default",
"get_metadef_resource_type": "rule:metadef_default",
"add_metadef_resource_type_association": "rule:metadef_default",

"get_metadef_property": "rule:metadef_default",
"get_metadef_properties": "rule:metadef_default",
"modify_metadef_property": "rule:metadef_default",
"add_metadef_property": "rule:metadef_default",

"get_metadef_tag": "rule:metadef_default",
"get_metadef_tags": "rule:metadef_default",
"modify_metadef_tag": "rule:metadef_default",
"add_metadef_tag": "rule:metadef_default",
"add_metadef_tags": "rule:metadef_default"
---- end example policy.json/policy.yaml snippet ----

To re-enable metadef policies to be allowed to be admin only, operator(s) can make a change in respective policy.json or policy.yaml as shown below; (assuming all metadef policies are configured to use rule:metadeta_default as shown in above example)

---- begin example policy.json/policy.yaml snippet ----
"metadef_default": "rule:admin",
---- begin example policy.json/policy.yaml snippet ----

Operators with users that depend on metadef APIs may choose to leave these accessible to all users. In that case, education of users about the potential for information leakage in the resource names is advisable so that vulnerable practices can be altered as mitigation.

To re-enable metadef policies to all users, operator(s) can make a change in respective policy.json or policy.yaml as shown below; (assuming all metadef policies are configured to use rule:metadeta_default as shown in above example)

---- begin example policy.json/policy.yaml snippet ----
"metadef_default": "",
---- begin example policy.json/policy.yaml snippet ----

Contacts / References

Author:

  • Abhishek Kekane, Red Hat
  • Lance Bragstad, Red Hat


This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0088

Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1545702

Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1916926

Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1916922

Mailing List : [Security] openstack-security@lists.openstack.org

OpenStack Security Project : https://launchpad.net/~openstack-ossg