[openstack-announce] [OSSN-0088] Some of the Glance metadef APIs likely to leak resources

Abhishek Kekane akekane at redhat.com
Tue Mar 9 15:17:40 UTC 2021


Some of the Glance metadef APIs likely to leak resources
-------------------------------------------------------------------------------

### Summary ###
Metadef APIs are vulnerable and potentially leaking information to
unauthorized users and also there is currently no limit on creation
of metadef namespaces, objects, properties, resources and tags. This
can be abused by malicious users to fill the Glance database resulting
in a Denial of Service (DoS) condition.

### Affected Services / Software ###
Glance

### Discussion ###
There is no restriction on creation of metadef namespaces, objects,
properties, resources and tags as well as it could also leak the
information to unauthorized users or to the users outside of the project. By
taking advantage of this lack of restrictions around metadef APIs, a
a single user could fill the Glance database by creating
unlimited resources, resulting in a Denial Of Service (DoS) style
attack.

Glance does allow metadef APIs to be controlled by policy. However, the
default policy setting for metadef APIs allows all users to create or
read the metadef information.

Because metadef resources are not properly isolated to the
owner, any use of them with potentially sensitive names (such as internal
infrastructure details, customer names, etc) could unintentionally
expose that information to a malicious user.

### Recommended Actions ###
Since these fundamental issues have been present since the API was
introduced, the Glance project is recommending operators disable all
metadef APIs by default in their deployments.

Here is an example of disabling the metadef APIs in the deployments for
current
stable OpenStack releases either in policy.json or policy.yaml.

---- begin example policy.json/policy.yaml snippet ----
"metadef_default": "!",

"get_metadef_namespace": "rule:metadef_default",
"get_metadef_namespaces": "rule:metadef_default",
"modify_metadef_namespace": "rule:metadef_default",
"add_metadef_namespace": "rule:metadef_default",

"get_metadef_object": "rule:metadef_default",
"get_metadef_objects": "rule:metadef_default",
"modify_metadef_object": "rule:metadef_default",
"add_metadef_object": "rule:metadef_default",

"list_metadef_resource_types": "rule:metadef_default",
"get_metadef_resource_type": "rule:metadef_default",
"add_metadef_resource_type_association": "rule:metadef_default",

"get_metadef_property": "rule:metadef_default",
"get_metadef_properties": "rule:metadef_default",
"modify_metadef_property": "rule:metadef_default",
"add_metadef_property": "rule:metadef_default",

"get_metadef_tag": "rule:metadef_default",
"get_metadef_tags": "rule:metadef_default",
"modify_metadef_tag": "rule:metadef_default",
"add_metadef_tag": "rule:metadef_default",
"add_metadef_tags": "rule:metadef_default"
---- end example policy.json/policy.yaml snippet ----

To re-enable metadef policies to be allowed to be admin only, operator(s)
can make a change in respective policy.json or policy.yaml as shown below;
(assuming all metadef policies are configured to use rule:metadeta_default
as shown in above example)

---- begin example policy.json/policy.yaml snippet ----
"metadef_default": "rule:admin",
---- begin example policy.json/policy.yaml snippet ----

Operators with users that depend on metadef APIs may choose to leave
these accessible to all users. In that case, education of users about
the potential for information leakage in the resource names is
advisable so that vulnerable practices can be altered as mitigation.

To re-enable metadef policies to all users, operator(s)
can make a change in respective policy.json or policy.yaml as shown below;
(assuming all metadef policies are configured to use rule:metadeta_default
as shown in above example)

---- begin example policy.json/policy.yaml snippet ----
"metadef_default": "",
---- begin example policy.json/policy.yaml snippet ----

### Contacts / References ###
Author: Abhishek Kekane, Red Hat
Author: Lance Bragstad, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1545702
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1916926
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1916922
Mailing List : [Security] openstack-security at lists.openstack.org
OpenStack Security Project : https://launchpad.net/~openstack-ossg


Thanks & Best Regards,

Abhishek Kekane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20210309/1d8ffe71/attachment.html>


More information about the OpenStack-announce mailing list