[oss-security] OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming

[Jay Faulkner]

====================================================================================================================================
OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs 
when configured to convert images to raw for streaming
====================================================================================================================================

:Date: October 03, 2024
:CVE: CVE-2024-47211


Affects
~~~~~~~
- Ironic: <21.4.4, >=22.0.0 <23.0.3, >=23.1.0 <24.1.3, >=25.0.0, <26.1.0


Description
~~~~~~~~~~~
Julia Kreger of Red Hat noticed a vulnerability in image validation for
Ironic, in which images may not have their checksum validated before
conversion, potentially permitting man-in-the-middle attacks modifying
image data.


Patches
~~~~~~~

-https://review.opendev.org/c/openstack/ironic/+/931293 (2025.1/epoxy (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931294 
(2024.2/dalmatian(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931297 (Bugfix/25.0 (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931296 (Bugfix/26.0 (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931295 (2024.1/caracal(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931298 (Bugfix/24.0 (ironic))
-https://review.opendev.org/c/openstack/ironic/+/931299 (2023.2/bobcat(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931300 
(2023.1/antelope(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931305 
(Unmaintained/victoria(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931304 
(Unmaintained/wallaby(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931303 
(Unmaintained/xena(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931302 
(Unmaintained/yoga(ironic))
-https://review.opendev.org/c/openstack/ironic/+/931301 
(Unmaintained/zed(ironic))


Credits
~~~~~~~
- Julia Kreger from Red Hat (CVE-2024-47211)


References
~~~~~~~~~~
-https://launchpad.net/bugs/2076289
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47211
-https://security.openstack.org/ossa/OSSA-2024-004.html


Notes
~~~~~
- No other Ironic-adjacent projects, including Ironic-Python-Agent,
  require patching to resolve this vulnerability.
- As usual, we will provide updated releases off maintained branches,
  but will not create new releases off bugfix or unmaintained branches.


--
Jay Faulkner
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

OpenPGP_0x6B75D939B424C6D4.asc
Description: OpenPGP public key

OpenPGP_signature.asc
Description: OpenPGP digital signature