Correct the scope of OSSN-0090
Corrected the scope of "Discussion" section from limiting it to end-users like outlined in the bug comment #43 [0]. Removed the "hence" from line 86 as that would be suggesting Glance doing the checksumming normally, which is false impression.. The data is not verified because of not going through Glance but because the consumer decides to not verify it. Subtle but important difference. [0] https://bugs.launchpad.net/glance/+bug/1990157/comments/43 Change-Id: Ib42b486f854e39cdae8762f596266d6c24e8b3fb
This commit is contained in:
parent
e25426055d
commit
0a99808d7d
@ -12,10 +12,10 @@ deployment configuration that can mitigate such attacks.
|
|||||||
Glance, all supported releases (Queens through Zed)
|
Glance, all supported releases (Queens through Zed)
|
||||||
|
|
||||||
### Discussion ###
|
### Discussion ###
|
||||||
This note applies to you if you are operating an end-user-facing
|
This note applies to you if you are operating a glance-api service with
|
||||||
glance-api service with the 'show_multiple_locations' option set to True
|
the 'show_multiple_locations' option set to True (the default value
|
||||||
(the default value is False) or if your end-user-facing glance-api has
|
is False) or if your end-user-facing glance-api has the
|
||||||
the 'show_image_direct_url' option set to True (default value is False).
|
'show_image_direct_url' option set to True (default value is False).
|
||||||
|
|
||||||
Our recommendation is that the image "locations" and "direct_url"
|
Our recommendation is that the image "locations" and "direct_url"
|
||||||
fields [0] *never* be displayed to end users in a cloud. This can be
|
fields [0] *never* be displayed to end users in a cloud. This can be
|
||||||
@ -35,7 +35,7 @@ release notes in the Rocky [2] through Ussuri releases, but it seems that
|
|||||||
the idea has not received sufficient attention. Hence this security note.
|
the idea has not received sufficient attention. Hence this security note.
|
||||||
|
|
||||||
The attack vector that becomes available when image locations are exposed to
|
The attack vector that becomes available when image locations are exposed to
|
||||||
end users was originally outlined in OSSN-0065 [3], though that note was not
|
users was originally outlined in OSSN-0065 [3], though that note was not
|
||||||
clear about the attack surface or mitigation, and contained some
|
clear about the attack surface or mitigation, and contained some
|
||||||
forward-looking statements that were not fulfilled. The attack vector is:
|
forward-looking statements that were not fulfilled. The attack vector is:
|
||||||
|
|
||||||
@ -83,7 +83,7 @@ is disabled in Glance, it is not possible to manipulate the locations
|
|||||||
via the OpenStack Images API. Keep in mind, however, that in any
|
via the OpenStack Images API. Keep in mind, however, that in any
|
||||||
Glance/Nova/Cinder configuration where Nova and/or Cinder do copy-on-write
|
Glance/Nova/Cinder configuration where Nova and/or Cinder do copy-on-write
|
||||||
directly in the image store, image data transfer takes place outside Glance's
|
directly in the image store, image data transfer takes place outside Glance's
|
||||||
image data download path, and hence the os_hash_value is *not* checked. Thus,
|
image data download path, and the os_hash_value is *not* checked. Thus,
|
||||||
if the backend store is itself compromised and image data is replaced
|
if the backend store is itself compromised and image data is replaced
|
||||||
directly in the backend, the substitution will *not* be detected.
|
directly in the backend, the substitution will *not* be detected.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user