Open Stack

Yes, ideally it should have been switched to public (and a bug tag of
"security" added) prior to distributing the OSSN, so that those reading
it could make use of the bug link it contained.

I'll go ahead and do that now.

** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1593799

Title:
  glance-manage db purge breaks image immutability promise

Status in Glance:
  Confirmed
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  Using glance-manage db purge command opens possibility to recycle
  image-IDs.

  When the row is deleted from the database the ID is not known by
  glance anymore and thus it's not unique during the deployment
  lifecycle. This opens possibility to following scenario:

  1) End user boots VM from private/public/shared image.
  2) Image owner deletes the image.
  3) glance-manage db purge gets ran which deletes record that image has ever existed.
  4) Either malicious user or someone unintentionally creates new image with same ID (being same user so having access to the image by owning it or it becoming public/shared(/possbly community at some point))
  5) Same end user boots either snapshot from the original image or nova needs to migrate the VM to another host. Now the user's VM will be rebuilt on top of the new image. Worst case scenario the user had no idea that the image data changed in between.

  This behavior breaks Glance image immutability promise that has bee
  stated that the data related to image ID that has gone active will
  never change.

  We have two solutions for this. Either we introduce table to track the
  deleted image-IDs and get glance to cross check that during the image
  create or we leave it as is but issue notice/documentation what are
  the implications if the purge is used transferring the responsibility
  to the cloud operators.

  This was partially discussed in the virtual glance midcycle meetup so
  it might not be justified to leave this as private but I wanted to
  leave that decision to VMT.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1593799/+subscriptions