[Openstack-security] [Bug 1251518] Re: Glance needs a config option to limit the number of additional image properties
OpenStack Infra
1251518 at bugs.launchpad.net
Mon Nov 25 09:42:32 UTC 2013
Reviewed: https://review.openstack.org/56981
Committed: http://github.com/openstack/glance/commit/f63d2f67ed1e7b8246b36bd08517a55a702a48a9
Submitter: Jenkins
Branch: master
commit f63d2f67ed1e7b8246b36bd08517a55a702a48a9
Author: Alex Meade <hatboy112 at yahoo.com>
Date: Fri Nov 15 22:42:55 2013 +0000
Add config option to limit image properties
This patch adds the image_property_quota config option. This allows a deployer
to limit the number of image properties allowed on an image. The default value
is 128, as is currently the limit enforced by nova. Users will only be able to
update an image if the result of the transaction would be under this limit.
This behavior is intended to be similar to 'quota_metadata_items' in nova.
This is for both Glance v1 and v2.
Fixes bug 1251518
docImpact
Change-Id: I4aa9504deae836404f11c9ada71a91f85caeba4c
** Changed in: glance
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1251518
Title:
Glance needs a config option to limit the number of additional image
properties
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Committed
Status in OpenStack Security Advisories:
Invalid
Bug description:
Impact: The vulnerability occurs when glance is directly exposed to
users. If users can only hit glance via the compute API, then no
vulnerability.
Nova has a configuration option quota_metadata_items (default value
128) that's documented to limit the number of metadata items that can
be put on an instance. (I verified that it also applies to image
metadata using a havana devstack.)
Glance does not appear to have such an option (I was able to put >500
additional properties on an image using the glanceclient). I think
this is a DOS attack vector, since someone could fill the glance
database with garbage and slow everything down.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1251518/+subscriptions
More information about the Openstack-security
mailing list