Glance

[OSSA 2013-027] 'image_download' role in v2 causes traceback

Bug #1235378 reported by Stuart McLaren on 2013-10-04

268

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Glance	Fix Released	Critical	Zhi Yan Liu	Glance 2013.2 "havana"
Folsom	Fix Committed	Undecided	Unassigned
Grizzly	Fix Released	Critical	Stuart McLaren	Glance 2013.1.4
OpenStack Security Advisory	Fix Released	Medium	Thierry Carrez

Bug Description

If you enable the 'image_download' policy as follows:

{
    "context_is_admin": "role:admin",
    "download_image": "role:admin", <<<
    "default": "",
    "manage_image_cache": "role:admin"
}

And attempt to download using the v2 api you get 200 rather than 403 (but, correctly, no data)
and a stack trace on the server:

6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache
6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache.drivers.sqlite [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not authorized to complete this action.), rolling back by moving '/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778' to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778'
6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent call last):
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in image_iter:
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in self.image.get_data():
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache self.policy.enforce(self.context, 'download_image', {})
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache exception.Forbidden, action=action)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache return policy.check(rule, target, credentials, *args, **kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache raise exc(*args, **kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py", line 402, in handle_one_response
    for data in result:
  File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
    for chunk in image_iter:
  File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
    for chunk in self.image.get_data():
  File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
    self.policy.enforce(self.context, 'download_image', {})
  File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
    exception.Forbidden, action=action)
  File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
    return policy.check(rule, target, credentials, *args, **kwargs)
  File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
    raise exc(*args, **kwargs)
Forbidden: You are not authorized to complete this action.
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] 10.6.249.22 - - [04/Oct/2013 17:34:47] "GET /v2/images/42c834df-3b35-4982-aed6-ffa4a44d3778/file HTTP/1.1" 200 0 0.048832

Related branches

lp://staging/ubuntu/quantal-security/glance

lp://staging/ubuntu/quantal-updates/glance

lp://staging/ubuntu/raring-security/glance

CVE References

2013-4428

Stuart McLaren (stuart-mclaren) on 2013-10-04

tags:

added: havana-rc-potential

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2013-10-04:

I'm unlikely to be able to look at this in the short term, so if anyone else would like to pick it up feel free!

affects:

swift → glance

Zhi Yan Liu (lzy-dev) on 2013-10-05

Changed in glance:
assignee:	nobody → Zhi Yan Liu (lzy-dev)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-07: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/50016

Changed in glance:
status:	New → In Progress

Mark Washenberger (markwash) on 2013-10-08

Changed in glance:
importance:	Undecided → Critical
milestone:	none → icehouse-1

Thierry Carrez (ttx) on 2013-10-08

Changed in glance:
milestone:	icehouse-1 → havana-rc2
tags:	removed: havana-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-09: Fix merged to glance (master)

Reviewed: https://review.openstack.org/50016
Committed: http://github.com/openstack/glance/commit/a50bfbf490fd354d08abd25b67aaab83b2a17a85
Submitter: Jenkins
Branch: master

commit a50bfbf490fd354d08abd25b67aaab83b2a17a85
Author: Zhi Yan Liu <email address hidden>
Date: Mon Oct 7 11:44:33 2013 +0800

Adding 'download_image' policy enforcement to image cache middleware

    Currently image cache middleware not care 'download_image' policy, the
    enforcement caused user receive empty content but with HTTP 200 code
    rather than 403 when client attempt to download image using v2 API. And
    the real Forbidden exception be logged in glance-api log which image
    application action raised. The end user is confused by this behavior.

Fixes bug: 1235378

Change-Id: Ibaa7ccf8613ee3cce4cb6a72e3206a2c94122222
Signed-off-by: Zhi Yan Liu <email address hidden>

Changed in glance:
status:	In Progress → Fix Committed

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-09: Re: 'image_download' role in v2 causes traceback

This has security implications (as explained in duplicate bug 1235226) and may generate a security advisory.

information type:	Public → Public Security
Changed in ossa:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-09:

Grizzly patch proposed: https://review.openstack.org/#/c/50103/

Adam Gandelman (gandelman-a) on 2013-10-09

tags:

added: grizzly-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-10: Fix proposed to glance (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/50860

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-10: Fix proposed to glance (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/50865

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-10: Fix merged to glance (milestone-proposed)

Reviewed: https://review.openstack.org/50865
Committed: http://github.com/openstack/glance/commit/02e97689e60b643d446720659c9688702aea197b
Submitter: Jenkins
Branch: milestone-proposed

commit 02e97689e60b643d446720659c9688702aea197b
Author: Zhi Yan Liu <email address hidden>
Date: Mon Oct 7 11:44:33 2013 +0800

Adding 'download_image' policy enforcement to image cache middleware

Fixes bug: 1235378

    Related-Id: Ibaa7ccf8613ee3cce4cb6a72e3206a2c94122222
    Change-Id: I2822ee553d605b7d49576c886f42fa403cdbccf2
    Signed-off-by: Zhi Yan Liu <email address hidden>
    (cherry picked from commit a50bfbf490fd354d08abd25b67aaab83b2a17a85)

Changed in glance:
status:	Fix Committed → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-11: Re: 'image_download' role in v2 causes traceback

That's Grizzly/Havana only, right ? here is my attempt to an impact description:

===
Title: Glance image_download policy not enforced for cached images
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: Grizzly and later

Description:
Stuart McLaren from HP reported a vulnerability in Glance download_image policy enforcement in the case of cached images. Deployers may opt to set a download_image policy to restrict image download to specific roles. However, when an image is previously cached by an authorized download, any authenticated user could download image contents if it can guess the image UUID, bypassing any download_image policy restrictions. This could result in disclosure of image contents that were thought to be protected by the download_image policy setting. Only setups making use of the download_image policy are affected.

Changed in ossa:
assignee:	nobody → Thierry Carrez (ttx)
status:	Confirmed → Triaged

Revision history for this message

Zhi Yan Liu (lzy-dev) wrote on 2013-10-11:

#10

@ttx, No I consider folsom need to fix also: https://review.openstack.org/50860

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2013-10-11:

#11

Zhi Yan,

Thanks!

Thierry:

Thanks for drawing up a wording.

"if it can guess the image UUID": in the case of public images there's not really any guessing required ... a public image's UUID will be visible when they list images. (Public images will also be more likely to be cached.)

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-11:

#12

that said, public images also are unlikely to be protected by image_download... but yeah. how about:

===
Title: Glance image_download policy not enforced for cached images
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: All versions

Description:
Stuart McLaren from HP reported a vulnerability in Glance download_image policy enforcement in the case of cached images. Deployers may opt to set a download_image policy to restrict image download to specific roles. However, when an image is previously cached by an authorized download, any authenticated user could download image contents if it can determine the image UUID, bypassing any download_image policy restrictions. This could result in disclosure of image contents that were thought to be protected by the download_image policy setting. Only setups making use of the download_image policy are affected.

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2013-10-11:

#13

Thanks Thierry -- looks good to me!

(FWIW download_image may be useful for public images which are licensed.)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-14: Fix merged to glance (stable/folsom)

#14

Reviewed: https://review.openstack.org/50860
Committed: http://github.com/openstack/glance/commit/feb735412021b771d4fe8b5706506abe6677899b
Submitter: Jenkins
Branch: stable/folsom

commit feb735412021b771d4fe8b5706506abe6677899b
Author: Zhi Yan Liu <email address hidden>
Date: Mon Oct 7 11:44:33 2013 +0800

Adding 'download_image' policy enforcement to image cache middleware

Fixes bug: 1235378

    Related-Id: Ibaa7ccf8613ee3cce4cb6a72e3206a2c94122222
    Change-Id: I6ce09c764436da52ed0a5219c33ae0fb542dd3f8
    Signed-off-by: Zhi Yan Liu <email address hidden>
    (cherry picked from commit a50bfbf490fd354d08abd25b67aaab83b2a17a85)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-10-14: Re: 'image_download' role in v2 causes traceback

#15

The proposed impact description in comment #12 looks accurate to me.

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-15:

#16

CVE requested

Changed in ossa:
status:	Triaged → In Progress

Revision history for this message

Thomas Goirand (thomas-goirand) wrote on 2013-10-16:

#17

Hi,
Would Essex also be vulnerable?

Thomas

Thierry Carrez (ttx) on 2013-10-17

Changed in glance:
milestone:	havana-rc2 → 2013.2

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-17:

#18

CVE-2013-4428

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-10-18:

#19

The patch for Folsom adds tests for the v1 API, so I assume Essex is also affected and the Folsom patches backported.

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-21:

#20

OSSA to be released tomorrow Tuesday, Oct 22

Changed in ossa:
status:	In Progress → Fix Committed

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-22:

#21

[OSSA 2013-027]

Changed in ossa:
status:	Fix Committed → Fix Released
summary:	- 'image_download' role in v2 causes traceback + [OSSA 2013-027] 'image_download' role in v2 causes traceback

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-10-22:

#22

Looks like essex is not affected after all. 'download_image' functionality was not added until folsom (see bug #1038086).

Alan Pevec (apevec) on 2013-10-28

tags:

removed: grizzly-backport-potential

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #1235226

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.