14 glance-API Rate Limit (CVE-2016-8611) #
Within the glance service, calls to the POST method within v1 or v2/images
create records in queued
status. No limit is enforced
within the glance API on the number of images a single tenant may
create. The only limit is on the total amount of storage a single user may
consume. More information about this vulnerability is at https://nvd.nist.gov/vuln/detail/CVE-2016-8611
Therefore a user could maliciously or unintentionally fill multiple database tables (images, image_properties, image_tags, image_members) with useless image records, thereby causing a denial of service by lengthening transaction response times in the glance database.
This issue can be mitigated with a rate limiter to the glance-api haproxy
endpoints. Only POST requests are affected. Instance launch is not impacted.
The number of images that can be created in a 60 minute window is limited.
The default value is 600 connections per 60 minute window which should cover
most normal glance-api use cases. When the number of connections has been
exceeded, the user is locked out for the duration of the 60 minute
interval. The value for the number of connections per 60 minute period can be
overridden by editing the control_plane.yml
file.
The following steps will implement the rate limiter patch.
Edit
control_plane.yml
, adding the following glance_rate_limit entry. Change theglance_rate_limit
if the default 600 connections does not fit your situation.- glance-api: ha_mode: false glance_stores: 'file' glance_default_store: 'file' glance_rate_limit: LIMIT
Commit the change to Git
ardana >
git add -A git commit "Change glance rate limit"Run playbooks
ardana >
cd ~/openstack/ardana/ansibleardana >
ansible-playbook -i hosts/localhost config-processor-run.ymlardana >
ansible-playbook -i hosts/localhost ready-deployment.ymlardana >
cd ~/scratch/ansible/next/ardana/ansibleardana >
ansible-playbook -i hosts/localhost FND-CLU-reconfigure.yml
Access attempts are logged in
/var/log/haproxy.log
. Users who exceed the limit will
see a message such as:
429 Too Many Requests You have sent too many requests in a given amount of time. HTTP/1.0 429 Too Many Requests Cache-Control: no-cache Connection: close Content-Type: text/html