OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming

Date:

October 03, 2024

CVE:

CVE-2024-47211

Affects

  • Ironic: <21.4.4, >=22.0.0 <23.0.3, >=23.1.0 <24.1.3, >=25.0.0, <26.1.0

Description

Julia Kreger of Red Hat noticed a vulnerability in image validation for Ironic, in which images may not have their checksum validated before conversion, potentially permitting man-in-the-middle attacks modifying image data.

Patches

Credits

  • Julia Kreger from Red Hat (CVE-2024-47211)

References

Notes

  • No other Ironic-adjacent projects, including Ironic-Python-Agent, require patching to resolve this vulnerability.

  • As usual, we will provide updated releases off maintained branches, but will not create new releases off bugfix or unmaintained branches.