oss-security - OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <867c72f3-eb43-44ff-849b-ecd451a50f6d@jvf.cc>
Date: Sat, 5 Oct 2024 12:37:42 -0700
From: Jay Faulkner <jay@....cc>
To: oss-security@...ts.openwall.com
Subject: OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to
 verify checksums of supplied image_source URLs when configured to convert
 images to raw for streaming

====================================================================================================================================
OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming
====================================================================================================================================

:Date: October 03, 2024
:CVE: CVE-2024-47211


Affects
~~~~~~~
- Ironic: <21.4.4, >=22.0.0 <23.0.3, >=23.1.0 <24.1.3, >=25.0.0, <26.1.0


Description
~~~~~~~~~~~
Julia Kreger of Red Hat noticed a vulnerability in image validation for
Ironic, in which images may not have their checksum validated before
conversion, potentially permitting man-in-the-middle attacks modifying
image data.


Patches
~~~~~~~

-https://review.opendev.org/c/openstack/ironic/+/931293 (2025.1/epoxy (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931294 (2024.2/dalmatian(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931297 (Bugfix/25.0 (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931296 (Bugfix/26.0 (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931295 (2024.1/caracal(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931298 (Bugfix/24.0 (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931299 (2023.2/bobcat(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931300 (2023.1/antelope(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931305 (Unmaintained/victoria(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931304 (Unmaintained/wallaby(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931303 (Unmaintained/xena(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931302 (Unmaintained/yoga(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931301 (Unmaintained/zed(ironic))


Credits
~~~~~~~
- Julia Kreger from Red Hat (CVE-2024-47211)


References
~~~~~~~~~~
-https://launchpad.net/bugs/2076289
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47211
-https://security.openstack.org/ossa/OSSA-2024-004.html


Notes
~~~~~
- No other Ironic-adjacent projects, including Ironic-Python-Agent,
   require patching to resolve this vulnerability.
- As usual, we will provide updated releases off maintained branches,
   but will not create new releases off bugfix or unmaintained branches.


--
Jay Faulkner
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html


Content of type "text/html" skipped

Download attachment "OpenPGP_0x6B75D939B424C6D4.asc" of type "application/pgp-keys" (3140 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.