[Openstack-security] [Bug 1251518] Re: Glance needs a config option to limit the number of additional image properties
Thierry Carrez
thierry.carrez+lp at gmail.com
Thu Apr 17 11:07:10 UTC 2014
** Changed in: glance
Milestone: icehouse-1 => 2014.1
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1251518
Title:
Glance needs a config option to limit the number of additional image
properties
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in OpenStack Security Advisories:
Invalid
Bug description:
Impact: The vulnerability occurs when glance is directly exposed to
users. If users can only hit glance via the compute API, then no
vulnerability.
Nova has a configuration option quota_metadata_items (default value
128) that's documented to limit the number of metadata items that can
be put on an instance. (I verified that it also applies to image
metadata using a havana devstack.)
Glance does not appear to have such an option (I was able to put >500
additional properties on an image using the glanceclient). I think
this is a DOS attack vector, since someone could fill the glance
database with garbage and slow everything down.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1251518/+subscriptions
More information about the Openstack-security
mailing list