[Openstack-security] [Bug 1251518] Re: Glance needs a config option to limit the number of additional image properties
Jeremy Stanley
fungi at yuggoth.org
Fri Nov 15 15:55:37 UTC 2013
I agree, this falls to operator best practices and public service
hardening issues. Contrary to popular belief, private security bugs get
less attention and generally take longer to fix than regular public bugs
(due to the strictly limited set of people allowed to see and work
through them).
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1251518
Title:
Glance needs a config option to limit the number of additional image
properties
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Security Advisories:
Invalid
Bug description:
Impact: The vulnerability occurs when glance is directly exposed to
users. If users can only hit glance via the compute API, then no
vulnerability.
Nova has a configuration option quota_metadata_items (default value
128) that's documented to limit the number of metadata items that can
be put on an instance. (I verified that it also applies to image
metadata using a havana devstack.)
Glance does not appear to have such an option (I was able to put >500
additional properties on an image using the glanceclient). I think
this is a DOS attack vector, since someone could fill the glance
database with garbage and slow everything down.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1251518/+subscriptions
More information about the Openstack-security
mailing list