openstack
/
security-doc
Code Issues Proposed changes

Correct the scope of OSSN-0090 

Corrected the scope of "Discussion" section from limiting it to
end-users like outlined in the bug comment #43 [0].

Removed the "hence" from line 86 as that would be suggesting
Glance doing the checksumming normally, which is false impression..
The data is not verified because of not going through Glance
but because the consumer decides to not verify it. Subtle but
important difference.

[0] https://bugs.launchpad.net/glance/+bug/1990157/comments/43

Change-Id: Ib42b486f854e39cdae8762f596266d6c24e8b3fb
This commit is contained in:
Erno Kuvaja 2022-10-19 12:39:16 +01:00
parent e25426055d
commit 0a99808d7d
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
security-notes/OSSN-0090
View File

@ -12,10 +12,10 @@ deployment configuration that can mitigate such attacks.
Glance, all supported releases (Queens through Zed)
### Discussion ###
This note applies to you if you are operating an end-user-facing
glance-api service with the 'show_multiple_locations' option set to True
(the default value is False) or if your end-user-facing glance-api has
the 'show_image_direct_url' option set to True (default value is False).
This note applies to you if you are operating a glance-api service with
the 'show_multiple_locations' option set to True (the default value
is False) or if your end-user-facing glance-api has the
'show_image_direct_url' option set to True (default value is False).
Our recommendation is that the image "locations" and "direct_url"
fields [0] *never* be displayed to end users in a cloud. This can be
@ -35,7 +35,7 @@ release notes in the Rocky [2] through Ussuri releases, but it seems that
the idea has not received sufficient attention. Hence this security note.
The attack vector that becomes available when image locations are exposed to
end users was originally outlined in OSSN-0065 [3], though that note was not
users was originally outlined in OSSN-0065 [3], though that note was not
clear about the attack surface or mitigation, and contained some
forward-looking statements that were not fulfilled. The attack vector is:
@ -83,7 +83,7 @@ is disabled in Glance, it is not possible to manipulate the locations
via the OpenStack Images API. Keep in mind, however, that in any
Glance/Nova/Cinder configuration where Nova and/or Cinder do copy-on-write
directly in the image store, image data transfer takes place outside Glance's
image data download path, and hence the os_hash_value is *not* checked. Thus,
image data download path, and the os_hash_value is *not* checked. Thus,
if the backend store is itself compromised and image data is replaced
directly in the backend, the substitution will *not* be detected.