2024.2 Series Release Notes

29.1.0-2

Security Issues

• Fixed multiple Server-Side Request Forgery (SSRF) vulnerabilities in Glance’s image import functionality. These vulnerabilities could allow attackers to bypass URL validation and access internal resources.

  web-download Import Method SSRF:

  The web-download import method had two SSRF vulnerabilities:

  HTTP Redirect Bypass: The web-download import method did not validate redirect destinations when following HTTP redirects. An attacker could provide an initial URL that passed validation, but redirect to an internal or disallowed resource that would bypass the security checks. This has been fixed by implementing SafeRedirectHandler that validates redirect destinations before following them using the same validate_import_uri() checks as the initial URL.

  IP Address Encoding Bypass: The web-download import method’s URL validation could be bypassed by encoding IP addresses in alternative formats (decimal integer, hexadecimal, octal). For example, 127.0.0.1 could be encoded as 2130706433 (decimal) or 0x7f000001 (hexadecimal) to bypass blacklist checks. This has been fixed by implementing normalize_hostname() function that uses Python’s ipaddress module to validate IP addresses. The ipaddress module only accepts standard dotted-decimal notation for IPv4 and standard format for IPv6, automatically rejecting all encoded formats (decimal, hexadecimal, octal). Any attempt to use encoded IP formats is rejected, preventing SSRF bypass attacks.

  glance-download Import Method SSRF:

  The glance-download import method had redirect validation bypass vulnerabilities in two steps of the import flow:

  Image Data Download: When downloading image data from a remote Glance endpoint, redirects were not validated, allowing attackers to redirect to internal services.

  Metadata Fetch: When fetching image metadata from a remote Glance endpoint, redirects were not validated, allowing attackers to redirect to internal services.

  Both steps have been fixed by using SafeRedirectHandler to validate redirect destinations before following them.

  OVF Processing SSRF:

  The OVF processing functionality had a critical SSRF vulnerability with zero protection - no URI validation, no redirect validation, and no IP normalization. The code directly called urllib.request.urlopen(uri) without any validation checks. This has been fixed by adding URI validation using validate_import_uri() and redirect validation using SafeRedirectHandler.

  Affected Components:

  • glance.common.scripts.utils.get_image_data_iter()

  • glance.common.utils.validate_import_uri()

  • glance.async_.flows._internal_plugins.glance_download._DownloadGlanceImage.execute()

  • glance.async_.flows.api_image_import._ImportMetadata.execute()

  • glance.async_.flows.ovf_process._OVF_Process._get_ova_iter_objects()

  Impact:

  • Severity: High (web-download, glance-download), Critical (OVF processing)

  • Affected Versions: All versions prior to this fix

  • Workaround: Administrators can temporarily disable affected import methods by removing them from the enabled_import_methods configuration option

  Bugs #2138602, #2138672, #2138675

Bug Fixes

• Bug 2138602: Fixed SSRF vulnerability in web-download import method via HTTP redirect bypass and IP address encoding bypass. Added redirect validation using SafeRedirectHandler and IP address validation using Python’s ipaddress module to reject encoded IP formats and prevent bypass attacks.

  Bug 2138672: Fixed SSRF vulnerability in glance-download import method via HTTP redirect bypass. Added redirect validation for both image data download and metadata fetch operations.

  Bug 2138675: Fixed SSRF vulnerability in OVF processing functionality which lacked URI validation. Added URI validation and redirect validation to prevent SSRF attacks when processing OVA files.

29.0.0

New Features

• This release brings the additional functionality of adding new location to a queued state image which will replace the image-update mechanism for consumers like Cinder and Nova to address OSSN-0090 and OSSN-0065.

• This release brings the additional functionality of get locations associated to an image accessible to only service users i.e., consumers like Cinder and Nova for OSSN-0090 and OSSN-0065.

Known Issues

• In case of http store if bad value is passed for os_hash_value in validation data then task fails which is expected but it stores location of the image which is wrong, that needs to be popped out. The location doesn’t get deleted because deletion of location is not allowed for http store. Here image needs to be deleted as it is of no use.

• During validation of hashing data when do_secure_hash is false, we can just validate length expected for hash_algo and not actual expected hash value. If garbage hash_value with expected size has been provided, image becomes active after adding location but it will be of no use as download or boot will fail with corrupt image error.

Upgrade Notes

• The following metadata definitions have been modified in the Dalmatian release:

  • Added hw_firmware_stateless boolean in the OS::Compute::LibvirtImage namespace.

  You may upgrade these definitions using:

  glance-manage db load_metadefs [--path <path>] [--merge] [--prefer_new]

• The allow_additional_image_properties configuration option, which was deprecated in Ussuri, has been removed in this release.

• The location_strategy functionality which was deprecated in Bobcat(2023.2), has been removed in this release.

Deprecation Notes

• The digest_algorithm configuration option has been deprecated in this release and is subject to removal at the beginning of the F development cycle, following the OpenStack standard deprecation policy.

  This option has had no effect since the removal of native SSL support.

• The Glance API configuration options metadata_encryption_key is deprecated in this release and is subject to removal at the beginning of the F (2025.2) development cycle.

  The metadata_encryption_key and it’s related functioanlity don’t serve the purpose of encryption of location metadata, whereas it encrypts location url only for specific APIs. Also if enabled this during an upgrade, may disrupt existing deployments, as it does not support/provide db upgrade script to encrypt existing location URLs. Moreover, its functionality for encrypting location URLs is inconsistent which resulting in download failures.

Security Issues

• Images in the qcow2 format with an external data file are now rejected from glance because such images could be used in an exploit to expose host information. See Bug #2059809 for details.

Bug Fixes

• Bug #2059809: Fixed issue where a qcow2 format image with an external data file could expose host information. Such an image format with an external data file will be rejected from Glance. To achieve the same, format_inspector has been extended by adding safety checks for qcow2 and VMDK files in Glance. Unsafe qcow and VMDK files will be rejected by pre-examining them with a format inspector to ensure safe configurations prior to any qemu-img operations.

• Bug 2065087: glance-cache-prefetcher is not working as threadpool is not set

• Bug 2059829: Install and configure (Ubuntu) in glance

• Bug 1636243: Add CPU Mode Metadata Def

• Bug 2072483: Revert image status to queued if image conversion fails

• Bug 2061947: stores-info –detail command fails if Swift store is enabled

• The glance-api service no longer attempts to load api-paste.ini file as its service config file. All config options should be written in service config files such as glance-api.conf.

• Bug #2073945: Fixed issue with VM creation in DCN cases with RBD backend where an edge node doesn’t have the store defined which is part of the image locations and the operation fails.

• Bug #2054575: Fixed the issue when Cinder uploads a volume to Glance in the optimised path and Glance rejects the request with invalid location. Now we convert the old location format sent by Cinder into the new location format supported by multi store, hence allowing volumes to be uploaded in an optimised way.