Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20160621222517.GE21113@jimrollenhagen.com>
Date: Tue, 21 Jun 2016 18:25:17 -0400
From: Jim Rollenhagen <jim@...rollenhagen.com>
To: oss-security@...ts.openwall.com
Subject: Ironic node information including credentials exposed to
 unathenticated users

=============================================================================
Ironic node information including credentials exposed to unathenticated users
=============================================================================

:Date: June 21, 2016
:CVE: CVE-2016-4985


Affects
~~~~~~~
- Ironic: >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1


Description
~~~~~~~~~~~
Devananda van der Veen (IBM) reported the following vulnerability in Ironic.

A client with network access to the ironic-api service can bypass Keystone
authentication and retrieve all information about any Node registered with
Ironic, if they know (or are able to guess) the MAC address of a network card
belonging to that Node, by sending a crafted POST request to the
/v1/drivers/$DRIVER_NAME/vendor_passthru resource.

The response will include the full Node details, including management
passwords, even when /etc/ironic/policy.json is configured to hide passwords in
API responses.

This vulnerability has been verified in all currently supported branches
(liberty, mitaka, master) and traced back to code introduced in commit
3e568fbbbcc5748035c1448a0bdb26306470797c during the Juno development cycle.
Therefore, it is likely that both juno and kilo braches (and their releases)
are also affected.


Patches
~~~~~~~
https://review.openstack.org/332195 (Newton)
https://review.openstack.org/332196 (Mitaka)
https://review.openstack.org/332197 (Liberty)


Credits
~~~~~~~
- Devananda van der Veen from IBM (CVE-2016-4985)

References
~~~~~~~~~~
- https://bugs.launchpad.net/ironic/+bug/1572796
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4985

Notes
~~~~~
- This fix is included in the upcoming 4.2.5 (Liberty), 5.1.2 (Mitaka), and
  6.0.0 (Newton) releases of Ironic.


--
Jim Rollenhagen
OpenStack Ironic Project Team Lead


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.