Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label bare metal provisioning. Show all posts

OpenStack Ironic Users Advised to Patch Critical Security Vulnerability

 

OpenStack's Ironic project, which is used for provisioning bare metal machines, has been identified with a critical security flaw (CVE-2024-44082) that allows authenticated users to exploit unvalidated image data. This vulnerability impacts multiple versions of Ironic and the Ironic-Python-Agent (IPA), potentially leading to unauthorized access to sensitive information due to improper handling of images processed by qemu-img.

The flaw was discovered by security experts Dan Smith and Julia Kreger of Red Hat, and Jay Faulkner of G-Research. It originates from the lack of validation for image data passed to qemu-img during processing. Authenticated attackers could leverage a specially crafted image to trigger unintended actions, potentially exposing sensitive data.

Affected versions include:

Ironic: Versions prior to 21.4.3, between 22.0.0 and 23.0.2, from 23.1.0 to 24.1.2, and between 25.0.0 and 26.0.1.

Ironic-Python-Agent: Versions before 9.4.2, between 9.5.0 and 9.7.1, from 9.8.0 to 9.11.1, and between 9.12.0 and 9.13.1.

To mitigate the CVE-2024-44082 vulnerability, OpenStack has issued patches for all maintained branches of Ironic and Ironic-Python-Agent, from the Dalmatian development branch to Antelope. These updates include code changes that validate images before passing them to qemu-img, preventing malicious images from executing unauthorized actions.

In cases where the Ironic-Python-Agent cannot be updated, administrators can enable the configuration option `[conductor]conductor_always_validates_images`, which forces all image downloads to be validated through the Ironic conductor. However, this option may lead to performance issues in high-traffic environments.

As part of the remediation, administrators should clear cached images by stopping the Ironic conductor and deleting files from the `[pxe]instance_master_path` directory.

Additionally, a new configuration option `[conductor]permitted_image_formats` has been introduced to restrict the accepted image formats. By default, only raw and qcow2 formats are allowed, as these are the only formats tested and supported by Ironic. Expanding this list is possible but not recommended due to potential security vulnerabilities.

It's crucial to note that the Ironic project does not support using ironic-lib for non-Ironic purposes. Independent use of ironic-lib could expose users to this vulnerability. The Ironic project plans to remove the vulnerable methods from ironic-lib in future releases.