Glance

Image data stays in store if image is deleted after creating image using import task (CVE-2015-3289)

Bug #1454087 reported by Abhishek Kekane on 2015-05-12

14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Undecided	Unassigned
	OpenStack Security Advisory	Fix Released	Undecided	Tristan Cacqueray

Bug Description

Image data stays in store if image is deleted after creating image using import task

Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.

Steps to reproduce:
1. Create image using task api

$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks

2. wait until image becomes active.
3. Confirm image is in active state.
   $ glance image-list
4. Delete the image
   $ glance image-delete <image-id>
5. Verify image-list does not show deleted image
   $ glance image-list

Image gets deleted from the database but image data presents in the backend.

Note:
This issue is fixed in master by this patch https://review.openstack.org/#/c/181345/4
This issue will be resolved by back-porting above patch to stable/kilo.

Affected branches: stable/kilo

See original description

CVE References

2015-3289

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2015-05-12:

#1

Attack scenario here is to create/delete a lot of images using import task and DoS the image backend by filling it up.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-05-12:

#2

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Flavio Percoco (flaper87) wrote on 2015-05-12:

#3

This is indeed a bug and as mentioned in the description, it's been fixed already. The backport has been done already but it's currently awaiting for a resolution to the problems we have in the gate.

https://review.openstack.org/#/c/181816/

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-05-12:

#4

How is this bug different from bug 1371118 and bug 1420696 ?

I guess we better cover this by doing an ERRATA to OSSA-2015-004...

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-06-01:

#5

@flaper87 Doesn't this also affect Juno ?

Revision history for this message

Flavio Percoco (flaper87) wrote on 2015-06-29:

#6

I'm sorry, I missed this comment :(

It doesn't affect juno, this code was added in Kilo.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-07-02:

#7

Since this issue relate to the new task flow (as opposed to import task of OSSA 2015-004), I guess it deserve its own OSSA and CVE.

Title: Glance task flow leaks image in backend
Reporter: Abhishek Kekane (NTT)
Products: Glance
Affects: 2015.1.0

Description:
Abhishek Kekane from NTT reported a vulnerability in Glance. By creating numerous images using the import task flow API and deleting them, an authenticated attacker may accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All glance setups are affected.

Changed in ossa:
status:	Incomplete → Triaged
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Revision history for this message

Flavio Percoco (flaper87) wrote on 2015-07-03:

#8

This sounds good to me.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-07-06:

#9

For the impact description in comment #7, let's try to avoid non-vulnerability-related uses of the overloaded term "leak" to reduce confusion. How about switching the title to something like "Glance task flow may fail to delete image from backend".

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-07-12:

#10

Thanks, the CVE has been assigned with the last proposed title.

summary:

Image data stays in store if image is deleted after creating image using
- import task
+ import task (CVE-2015-3289)

Revision history for this message

Grant Murphy (gmurphy) wrote on 2015-07-15:

#11

Disclosure date set for 2015-07-28. pre-OSSA sent to downstream stakeholders.

Changed in ossa:
status:	Triaged → Fix Committed

Revision history for this message

Grant Murphy (gmurphy) wrote on 2015-07-28:

#12

Advisory published http://www.openwall.com/lists/oss-security/2015/07/28/6

Changed in ossa:
status:	Fix Committed → Fix Released
information type:	Private Security → Public
description:	updated

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2015-11-17:

#13

As patch https://review.openstack.org/#/c/181816/ is merged in stable/kilo, this bug can be marked as Fixed Released.

Erno Kuvaja (jokke) on 2021-02-02

Changed in glance:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.