[Openstack-security] [Bug 1251518] Re: Glance needs a config option to limit the number of additional image properties

OpenStack Infra 1251518 at bugs.launchpad.net
Mon Nov 25 09:42:32 UTC 2013 

Reviewed:  https://review.openstack.org/56981
Committed: http://github.com/openstack/glance/commit/f63d2f67ed1e7b8246b36bd08517a55a702a48a9
Submitter: Jenkins
Branch:    master

commit f63d2f67ed1e7b8246b36bd08517a55a702a48a9
Author: Alex Meade <hatboy112 at yahoo.com>
Date:   Fri Nov 15 22:42:55 2013 +0000

    Add config option to limit image properties
    
    This patch adds the image_property_quota config option. This allows a deployer
    to limit the number of image properties allowed on an image. The default value
    is 128, as is currently the limit enforced by nova. Users will only be able to
    update an image if the result of the transaction would be under this limit.
    This behavior is intended to be similar to 'quota_metadata_items' in nova.
    
    This is for both Glance v1 and v2.
    
    Fixes bug 1251518
    docImpact
    
    Change-Id: I4aa9504deae836404f11c9ada71a91f85caeba4c


** Changed in: glance
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1251518

Title:
  Glance needs a config option to limit the number of additional image
  properties

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Committed
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  Impact: The vulnerability occurs when glance is directly exposed to
  users.  If users can only hit glance via the compute API, then no
  vulnerability.

  Nova has a configuration option quota_metadata_items (default value
  128) that's documented to limit the number of metadata items that can
  be put on an instance. (I verified that it also applies to image
  metadata using a havana devstack.)

  Glance does not appear to have such an option (I was able to put >500
  additional properties on an image using the glanceclient). I think
  this is a DOS attack vector, since someone could fill the glance
  database with garbage and slow everything down.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1251518/+subscriptions

More information about the Openstack-security mailing list