[Yahoo-eng-team] [Bug 2091410] Re: Denial of service by adding an unbounded number of tags to a network

[OpenStack Infra]

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/937887
Committed: 
https://opendev.org/openstack/neutron/commit/810b224b9139b2696221a0420ece4b9123aaec29
Submitter: "Zuul (22348)"
Branch:    master

commit 810b224b9139b2696221a0420ece4b9123aaec29
Author: Slawek Kaplonski <skapl...@redhat.com>
Date:   Tue Dec 17 16:13:16 2024 +0100

    Add limit of tags for every resource
    
    There is now limit of 50 tags which can be created for every single 
resource.
    Limit of 50 was choosen as this should be enough for every use case.
    Also e.g. Nova already have limit of 50 tags for server implemented so
    with such limit Neutron will be consistent with Nova in that.
    
    Closes-Bug: #2091410
    Change-Id: I9b87d0425ac0dfdde75d2dd661f02d7124ea4f8b


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2091410

Title:
  Denial of service by adding an unbounded number of tags to a network

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  It appears like users can add as many tags as they like to a neutron
  network. It is possible this can lead to a denial of service attack.

  How to reproduce:

  for i in {1..10000}; do echo "--tag test$i"; done | xargs openstack
  network set testnetworkname

  expected outcome:
  400 Bad request

  actual outcome:
  it works

  While not the biggest of problems, it can be made worse by not patching this 
CVE:
  https://bugs.launchpad.net/neutron/+bug/2088986

  In that case, I think an attacker can keep adding lots of tags to a
  shared public network, massively increasing the DB size and load over
  time. I believe the only access they need is a valid keystone project
  scoped token, and they can add tags to a shared public network. It was
  trivial to make network show take twice as long with just 20k of tags.

  There might be some quota or similar I am missing here?

  Nova currently has a hardcoded limit of 50 tags, that are limited in the API 
layer in a few places, including:
  
https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/server_tags.py#L126
  
https://github.com/stackhpc/nova/blob/701be180f74d8a127196acd842e813a8a7bf267c/nova/api/openstack/compute/schemas/server_tags.py#L23

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2091410/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp