Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation / Security Guide / glance-API Rate Limit (CVE-2016-8611)
Applies to SUSE OpenStack Cloud 9

14 glance-API Rate Limit (CVE-2016-8611)

Within the glance service, calls to the POST method within v1 or v2/images create records in queued status. No limit is enforced within the glance API on the number of images a single tenant may create. The only limit is on the total amount of storage a single user may consume. More information about this vulnerability is at https://nvd.nist.gov/vuln/detail/CVE-2016-8611

Therefore a user could maliciously or unintentionally fill multiple database tables (images, image_properties, image_tags, image_members) with useless image records, thereby causing a denial of service by lengthening transaction response times in the glance database.

This issue can be mitigated with a rate limiter to the glance-api haproxy endpoints. Only POST requests are affected. Instance launch is not impacted. The number of images that can be created in a 60 minute window is limited. The default value is 600 connections per 60 minute window which should cover most normal glance-api use cases. When the number of connections has been exceeded, the user is locked out for the duration of the 60 minute interval. The value for the number of connections per 60 minute period can be overridden by editing the control_plane.yml file.

The following steps will implement the rate limiter patch.

  1. Edit control_plane.yml, adding the following glance_rate_limit entry. Change the glance_rate_limit if the default 600 connections does not fit your situation.

    - glance-api:
        ha_mode: false
        glance_stores: 'file'
        glance_default_store: 'file'
        glance_rate_limit: LIMIT
  2. Commit the change to Git

    ardana > git add -A
    git commit "Change glance rate limit"
  3. Run playbooks

    ardana > cd ~/openstack/ardana/ansible
    ardana > ansible-playbook -i hosts/localhost config-processor-run.yml
    ardana > ansible-playbook -i hosts/localhost ready-deployment.yml
    ardana > cd ~/scratch/ansible/next/ardana/ansible
    ardana > ansible-playbook -i hosts/localhost FND-CLU-reconfigure.yml

Access attempts are logged in /var/log/haproxy.log. Users who exceed the limit will see a message such as:

429 Too Many Requests
You have sent too many requests in a given amount of time.

HTTP/1.0 429 Too Many Requests
Cache-Control: no-cache
Connection: close
Content-Type: text/html