====================================================================================================================================
OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming
====================================================================================================================================

:Date: October 03, 2024
:CVE: CVE-2024-47211


Affects
~~~~~~~
- Ironic: <21.4.4, >=22.0.0 <23.0.3, >=23.1.0 <24.1.3, >=25.0.0, <26.1.0


Description
~~~~~~~~~~~
Julia Kreger of Red Hat noticed a vulnerability in image validation for
Ironic, in which images may not have their checksum validated before
conversion, potentially permitting man-in-the-middle attacks modifying
image data.


Patches
~~~~~~~
- https://review.opendev.org/c/openstack/ironic/+/931300 (2023.1/antelope(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931299 (2023.2/bobcat(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931295 (2024.1/caracal(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931294 (2024.2/dalmatian(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931293 (2025.1/epoxy (ironic))
- https://review.opendev.org/c/openstack/ironic/+/931298 (Bugfix/24.0 (ironic))
- https://review.opendev.org/c/openstack/ironic/+/931297 (Bugfix/25.0 (ironic))
- https://review.opendev.org/c/openstack/ironic/+/931296 (Bugfix/26.0 (ironic))
- https://review.opendev.org/c/openstack/ironic/+/931305 (Unmaintained/victoria(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931304 (Unmaintained/wallaby(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931303 (Unmaintained/xena(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931302 (Unmaintained/yoga(ironic))
- https://review.opendev.org/c/openstack/ironic/+/931301 (Unmaintained/zed(ironic))


Credits
~~~~~~~
- Julia Kreger from Red Hat (CVE-2024-47211)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2076289
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47211


Notes
~~~~~
- No other Ironic-adjacent projects, including Ironic-Python-Agent,
  require patching to resolve this vulnerability.
- As usual, we will provide updated releases off maintained branches,
  but will not create new releases off bugfix or unmaintained branches.


--
Jay Faulkner
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html