OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming¶
- Date:
October 03, 2024
- CVE:
CVE-2024-47211
Affects¶
Ironic: <21.4.4, >=22.0.0 <23.0.3, >=23.1.0 <24.1.3, >=25.0.0, <26.1.0
Description¶
Julia Kreger of Red Hat noticed a vulnerability in image validation for Ironic, in which images may not have their checksum validated before conversion, potentially permitting man-in-the-middle attacks modifying image data.
Patches¶
https://review.opendev.org/c/openstack/ironic/+/931300 (2023.1/antelope(ironic))
https://review.opendev.org/c/openstack/ironic/+/931299 (2023.2/bobcat(ironic))
https://review.opendev.org/c/openstack/ironic/+/931295 (2024.1/caracal(ironic))
https://review.opendev.org/c/openstack/ironic/+/931294 (2024.2/dalmatian(ironic))
https://review.opendev.org/c/openstack/ironic/+/931293 (2025.1/epoxy (ironic))
https://review.opendev.org/c/openstack/ironic/+/931298 (Bugfix/24.0 (ironic))
https://review.opendev.org/c/openstack/ironic/+/931297 (Bugfix/25.0 (ironic))
https://review.opendev.org/c/openstack/ironic/+/931296 (Bugfix/26.0 (ironic))
https://review.opendev.org/c/openstack/ironic/+/931305 (Unmaintained/victoria(ironic))
https://review.opendev.org/c/openstack/ironic/+/931304 (Unmaintained/wallaby(ironic))
https://review.opendev.org/c/openstack/ironic/+/931303 (Unmaintained/xena(ironic))
https://review.opendev.org/c/openstack/ironic/+/931302 (Unmaintained/yoga(ironic))
https://review.opendev.org/c/openstack/ironic/+/931301 (Unmaintained/zed(ironic))
Credits¶
Julia Kreger from Red Hat (CVE-2024-47211)
References¶
Notes¶
No other Ironic-adjacent projects, including Ironic-Python-Agent, require patching to resolve this vulnerability.
As usual, we will provide updated releases off maintained branches, but will not create new releases off bugfix or unmaintained branches.