A user can prevent another user listing images via v2 (in certain cases)

Bug #1477910 reported by Stuart McLaren
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance Client
Fix Released
Critical
Stuart McLaren
Kilo
Fix Committed
High
Stuart McLaren
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

If user 'A' creates an image using the *v1* api, and provides a kernel_id or ramdisk_id which does not match the *v2* schema, eg:

$ glance image-create --disk-format raw --container-format bare --name img1 --property kernel_id=1234 --property ramdisk_id=5678 --file /etc/fstab
+-----------------------+--------------------------------------+
| Property | Value |
+-----------------------+--------------------------------------+
| Property 'kernel_id' | 1234 |
| Property 'ramdisk_id' | 5678 |
| checksum | 9cb02fe7fcac26f8a25d6db3109063ae |
| container_format | bare |
| created_at | 2015-07-24T09:28:58.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | 2c1e856d-ec2a-4080-a25c-9c5ee65f853e |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | img1 |
| owner | 411423405e10431fb9c47ac5b2446557 |
| protected | False |
| size | 145 |
| status | active |
| updated_at | 2015-07-24T09:28:58.000000 |
| virtual_size | None |
+-----------------------+--------------------------------------+

Then an admin user who tries to list images can see the following:

$ glance --os-image-api-version 2 image-list
u'5678' does not match u'^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$'

Failed validating u'pattern' in schema[u'properties'][u'ramdisk_id']:
    {u'description': u'ID of image stored in Glance that should be used as the ramdisk when booting an AMI-style image.',
     u'is_base': False,
     u'pattern': u'^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$',
     u'type': [u'null', u'string']}

On instance[u'ramdisk_id']:
    u'5678'

If the user deletes the image the admin listing starts to work again.

Note: to reproduce this it may be necessary for user 'A' to upload several images to ensure that an image which breaks the schema is returned first in a batch from the server.

This will effect a regular admin user, or anything which automatically polls glance using v2 in admin context (eg monitoring, metering, billing etc).

This can also affect some non-admin user cases:

* Public images

if someone has the ability to mark an image as public, then they can potentially break image listing via v2 for all users.

* Shared images

if user A has shared image X with user B, then they can potentially break image listing for user B via v2.

For a user to be able to do this v1 and v2 need to be enabled. This is the default glance configuration.
If v1 is currently disabled, but was enabled at some point there may be already existing private images which could be made public/shared.

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

When listing images, images are returned from the server in batches of, eg, 25.

Currently the v2 client validates the returned image metadata against the image schema for the first image in each batch.

(Originally all images were checked against the schema, but that was found to give poor performance.)

I'm not sure anymore if validating the schema for a subset of images when listing is a good idea.

It can give behaviour such as adding a 'good' image can break image listing if it means that a 'bad' image is now the first in a batch. Basically it can lead to unpredictable behaviour and bugs like this one.

I think removing all schema validation (at least by default) when doing v2 listing may make sense.

Revision history for this message
Mike Fedosin (mfedosin) wrote :

Yep, I got this issue...

My opinion is rejecting schema validation by default for image-list is okay, especially for the reason that it almost doesn't work now (only for the first image in a batch). But I think we can add a flag (like --validate-schema) to make users decide if they want validation or not. And it will apply to all images in a batch, not only for the first one, even regardless the performance of the operation.
But it's just a workaround... I think about if it feasible to fix it on the server side. We can't change v1 api, so restricting of those parameters to strings only (not ints or bools) is not possible.
What about to convert those types during serialisation in v2 (ie setting their type to 'string')?

Revision history for this message
Grant Murphy (gmurphy) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in python-glanceclient:
status: New → Incomplete
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Also, the nova api can be used to update metadata on an image, so if you are running the Glance v2 api (not the Glance v1 api), but are running nova then a user can use the nova api to update an image with an invalid kernel_id/ramdisk_id.

Revision history for this message
Mike Fedosin (mfedosin) wrote :

Technically each user may execute this code:

import os
for _ in range(25):
    os.system('glance image-create --property ramdisk_id=666')

and It forbids admin to execute image-list command in v2 api. If user is able to create public images, image-list won't work for all users in the system. It's not deadly, because admin can list and delete them with v1 api, but very annoying.

I think Stuart patch does the right thing by rejecting schema validation for lists and it should be merged asap.

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Unless there are objections I'm going to make this bug publically viewable in the next couple of days.

Changed in ossa:
status: New → Incomplete
Changed in python-glanceclient:
status: Incomplete → New
status: New → Confirmed
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

I've put the correct status for each tasks. It's still unclear whenever this deserve an OSSA/CVE....
What other side effects this issue might have beside image listing with v2 API ? (e.g. Nova seems to only use the v1 API, so instance spawning is unlikely to be affected)

Anyway, no objections for making this bug public.

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

@Tristan

Thanks.

> What other side effects this issue might have beside image listing with v2 API ?

In terms of direct impact that's it I think.

The indirect impact is harder to be sure about, I *think* horizon/cinder may use v2 for example.

Changed in python-glanceclient:
assignee: nobody → Stuart McLaren (stuart-mclaren)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-glanceclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/211086

Changed in python-glanceclient:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-glanceclient (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/211091

Erno Kuvaja (jokke)
Changed in python-glanceclient:
importance: Undecided → Critical
Revision history for this message
Grant Murphy (gmurphy) wrote :

I'm not sure how to classify this, but given our taxonomy https://security.openstack.org/vmt-process.html#incident-report-taxonomy I was thinking we could classify this as "class D" and not issue an OSSA. Thoughts?

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Hi Grant,

Thanks. Reading through the descriptions D (or a little higher) is probably ok.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-glanceclient (master)

Reviewed: https://review.openstack.org/211086
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=43769d6cc7266d7c81db31ad58b4fa403c35b611
Submitter: Jenkins
Branch: master

commit 43769d6cc7266d7c81db31ad58b4fa403c35b611
Author: Stuart McLaren <email address hidden>
Date: Fri Jul 24 12:19:23 2015 +0000

    V2: Do not validate image schema when listing

    Previously when listing images via v2, the first image of each batch
    was validated against the v2 schema.

    This could lead to unpredictable behaviour where a particular image
    which failed the schema check may or may not be the first of a batch.

    In some cases it also meant that operation by one user could affect the
    ability of another other to list images.

    Change-Id: I22974a3e3d9cbdd254099780752ae45ff2a557af
    Closes-bug: 1477910

Changed in python-glanceclient:
status: In Progress → Fix Committed
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Agreed with "class D", this is annoying but maybe not OSSA worthy.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-glanceclient (stable/kilo)

Reviewed: https://review.openstack.org/211091
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=320bc6f0c991c85108f139971a5109b789fad3bf
Submitter: Jenkins
Branch: stable/kilo

commit 320bc6f0c991c85108f139971a5109b789fad3bf
Author: Stuart McLaren <email address hidden>
Date: Fri Jul 24 12:19:23 2015 +0000

    V2: Do not validate image schema when listing

    Previously when listing images via v2, the first image of each batch
    was validated against the v2 schema.

    This could lead to unpredictable behaviour where a particular image
    which failed the schema check may or may not be the first of a batch.

    In some cases it also meant that operation by one user could affect the
    ability of another other to list images.

    Change-Id: I22974a3e3d9cbdd254099780752ae45ff2a557af
    Closes-bug: 1477910
    (cherry picked from commit 43769d6cc7266d7c81db31ad58b4fa403c35b611)

Changed in ossa:
status: Incomplete → Won't Fix
Changed in python-glanceclient:
milestone: none → 1.0.0
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-glanceclient 0.17.3

This issue was fixed in the openstack/python-glanceclient 0.17.3 release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.