[Openstack-security] [Bug 1593799] Re: glance-manage db purge breaks image immutability promise
Tristan Cacqueray
tdecacqu at redhat.com
Fri Sep 16 01:37:54 UTC 2016
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
Using glance-manage db purge command opens possibility to recycle image-
IDs.
When the row is deleted from the database the ID is not known by glance
anymore and thus it's not unique during the deployment lifecycle. This
opens possibility to following scenario:
1) End user boots VM from private/public/shared image.
2) Image owner deletes the image.
3) glance-manage db purge gets ran which deletes record that image has ever existed.
4) Either malicious user or someone unintentionally creates new image with same ID (being same user so having access to the image by owning it or it becoming public/shared(/possbly community at some point))
5) Same end user boots either snapshot from the original image or nova needs to migrate the VM to another host. Now the user's VM will be rebuilt on top of the new image. Worst case scenario the user had no idea that the image data changed in between.
This behavior breaks Glance image immutability promise that has bee
stated that the data related to image ID that has gone active will never
change.
We have two solutions for this. Either we introduce table to track the
deleted image-IDs and get glance to cross check that during the image
create or we leave it as is but issue notice/documentation what are the
implications if the purge is used transferring the responsibility to the
cloud operators.
This was partially discussed in the virtual glance midcycle meetup so it
might not be justified to leave this as private but I wanted to leave
that decision to VMT.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1593799
Title:
glance-manage db purge breaks image immutability promise
Status in Glance:
Confirmed
Status in OpenStack Security Advisory:
Opinion
Status in OpenStack Security Notes:
Fix Released
Bug description:
Using glance-manage db purge command opens possibility to recycle
image-IDs.
When the row is deleted from the database the ID is not known by
glance anymore and thus it's not unique during the deployment
lifecycle. This opens possibility to following scenario:
1) End user boots VM from private/public/shared image.
2) Image owner deletes the image.
3) glance-manage db purge gets ran which deletes record that image has ever existed.
4) Either malicious user or someone unintentionally creates new image with same ID (being same user so having access to the image by owning it or it becoming public/shared(/possbly community at some point))
5) Same end user boots either snapshot from the original image or nova needs to migrate the VM to another host. Now the user's VM will be rebuilt on top of the new image. Worst case scenario the user had no idea that the image data changed in between.
This behavior breaks Glance image immutability promise that has bee
stated that the data related to image ID that has gone active will
never change.
We have two solutions for this. Either we introduce table to track the
deleted image-IDs and get glance to cross check that during the image
create or we leave it as is but issue notice/documentation what are
the implications if the purge is used transferring the responsibility
to the cloud operators.
This was partially discussed in the virtual glance midcycle meetup so
it might not be justified to leave this as private but I wanted to
leave that decision to VMT.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1593799/+subscriptions
More information about the Openstack-security
mailing list