From 0a99808d7d6a988d943072c1326032e0ab363bbb Mon Sep 17 00:00:00 2001 From: Erno Kuvaja Date: Wed, 19 Oct 2022 12:39:16 +0100 Subject: [PATCH] Correct the scope of OSSN-0090 Corrected the scope of "Discussion" section from limiting it to end-users like outlined in the bug comment #43 [0]. Removed the "hence" from line 86 as that would be suggesting Glance doing the checksumming normally, which is false impression.. The data is not verified because of not going through Glance but because the consumer decides to not verify it. Subtle but important difference. [0] https://bugs.launchpad.net/glance/+bug/1990157/comments/43 Change-Id: Ib42b486f854e39cdae8762f596266d6c24e8b3fb --- security-notes/OSSN-0090 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/security-notes/OSSN-0090 b/security-notes/OSSN-0090 index e6d38165..30738c48 100644 --- a/security-notes/OSSN-0090 +++ b/security-notes/OSSN-0090 @@ -12,10 +12,10 @@ deployment configuration that can mitigate such attacks. Glance, all supported releases (Queens through Zed) ### Discussion ### -This note applies to you if you are operating an end-user-facing -glance-api service with the 'show_multiple_locations' option set to True -(the default value is False) or if your end-user-facing glance-api has -the 'show_image_direct_url' option set to True (default value is False). +This note applies to you if you are operating a glance-api service with +the 'show_multiple_locations' option set to True (the default value +is False) or if your end-user-facing glance-api has the +'show_image_direct_url' option set to True (default value is False). Our recommendation is that the image "locations" and "direct_url" fields [0] *never* be displayed to end users in a cloud. This can be @@ -35,7 +35,7 @@ release notes in the Rocky [2] through Ussuri releases, but it seems that the idea has not received sufficient attention. Hence this security note. The attack vector that becomes available when image locations are exposed to -end users was originally outlined in OSSN-0065 [3], though that note was not +users was originally outlined in OSSN-0065 [3], though that note was not clear about the attack surface or mitigation, and contained some forward-looking statements that were not fulfilled. The attack vector is: @@ -83,7 +83,7 @@ is disabled in Glance, it is not possible to manipulate the locations via the OpenStack Images API. Keep in mind, however, that in any Glance/Nova/Cinder configuration where Nova and/or Cinder do copy-on-write directly in the image store, image data transfer takes place outside Glance's -image data download path, and hence the os_hash_value is *not* checked. Thus, +image data download path, and the os_hash_value is *not* checked. Thus, if the backend store is itself compromised and image data is replaced directly in the backend, the substitution will *not* be detected.