[Openstack-security] [Bug 1251518] Fix proposed to glance (master)
OpenStack Infra
1251518 at bugs.launchpad.net
Mon Nov 18 16:48:59 UTC 2013
Fix proposed to branch: master
Review: https://review.openstack.org/56981
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1251518
Title:
Glance needs a config option to limit the number of additional image
properties
Status in OpenStack Image Registry and Delivery Service (Glance):
In Progress
Status in OpenStack Security Advisories:
Invalid
Bug description:
Impact: The vulnerability occurs when glance is directly exposed to
users. If users can only hit glance via the compute API, then no
vulnerability.
Nova has a configuration option quota_metadata_items (default value
128) that's documented to limit the number of metadata items that can
be put on an instance. (I verified that it also applies to image
metadata using a havana devstack.)
Glance does not appear to have such an option (I was able to put >500
additional properties on an image using the glanceclient). I think
this is a DOS attack vector, since someone could fill the glance
database with garbage and slow everything down.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1251518/+subscriptions
More information about the Openstack-security
mailing list