[OSSA-2024-004] Ironic sometimes fails to verify checksums of supplied image_source URLs (CVE-2024-47211)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
High
|
Julia Kreger | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Jay Faulkner |
Bug Description
Ironic contains a number of distinct features which also evolved over time to meet the needs of the community and infrastructure operators.
Originally, Image content only came from a trusted image store (Glance) where the checksum was known to have been pre-validated, and often just recorded by Glance, so ironic-python-agent could validate the checksum while streaming the image contents to disk in order to detect either a MITM or change in the source image which was not known, which failed the deploy to provide feedback to the operator.
As time evolved, capabilities were added to allow operators to optimize traffic and download images directly from the source to the agent. Luckily the agent's downloads do enforce checksums which is how this was observed
The issue arises when we've asked the conductor, via use of the "image_
The net result, in a direct usage of ironic's API, an authenticated user with privileges to deploy a node, user may request a remote image from a URL which does not have it's checksum verified after transport, leaving that action open to a potential MITM attack.
The chain of this issue appears to start at:
https:/
And then the image_to_raw method *should* checksum the file, but it does not:
https:/
Once the newly converted raw image is on disk, then ironic continues with it's process and generates a new checksum, which is made available for IPA to verify the download of the content.
https:/
In essence, ironic needs to perform the same basic check that IPA performs to validate the checksum is also what the user supplied and that there is not a mismatch in the value. This should realistically be done prior to converting the image, but could potentially be done after fetching the file. The major issue is part of ironic's contract is that the checksum is performed for disk images to ensure that nothing has happened in the mean time since the URL was retrieve and validated or occurred while in transport.
Assigning to myself as I'm likely the one who will code and test the fix for this.
CVE References
Julia Kreger (juliaashleykreger) wrote : | #1 |
Changed in ironic: | |
status: | New → In Progress |
importance: | Undecided → High |
Julia Kreger (juliaashleykreger) wrote : | #2 |
I discussed this with JayF who is an ironic-core and on the OpenStack VMT team. Overall, pretty good and the flow makes sense given structure/pattern, but some notes below.
common/images.py:
* We likely need to check for errors coming from oslo.utils.
* We *likely* need to adopt length based fingerprint checking to mirror IPA in standalone cases.
* Current handling of md5 does not respect the default md5 option knob, that needs to be fixed.
* Upper case input testing is missing.
* Normalize checksum algo to lower, and test as well, just to be on the extra safe side.
conf/conductor.py
* Restructure the help text to say "In the default case, files have their checksum verified prior to conversion"
drivers/
* _get_checksum_
* Some excess whitespace changes in deploy_utils in the patch, needs to be fixed.
* One other thing to consider, we likely need to validate against available hashlib algorithms Data example below. IPA explicitly, at least *newer* IPA versions have specific guess matching.
>>> hashlib.
{'blake2b', 'shake_256', 'sha512_224', 'blake2s', 'sha384', 'sha3_384', 'sha512_256', 'sha3_512', 'md5-sha1', 'shake_128', 'sha3_256', 'sha224', 'sm3', 'sha3_224', 'md5', 'sha1', 'sha512', 'sha256'}
As an action item, we also wanted to check what glance defaults to, and it is sha512, but that is on storage of an artifact based upon the default configuration.
Julia Kreger (juliaashleykreger) wrote : | #3 |
After discussing with JayF more yesterday, after taking a holistic look at the usage of the image_checksum field and the support which was added into the ironic-python-agent for URL based checksum payload files, a consensus was reached that we should discuss with Dmitry Tantsur, and I took the action item to do so first thing this morning.
The TL;DR:
Even with the scoping context, Dmitry thinks this is still a CVE, albeit minor given the number of aspect s which need to line up outside of the "normal" settings, and the biggest challenge with this is the disjointed context regarding purpose of the field, i.e. is it for data validation or is it for security.
A risk of regression which Dmitry was also able to highlight is a potential case of a fix breaking IPA users if the are opting into the conductor local conversion and stream out to the ramdisk, where today "it silently works". The net result seems to be that we will need to bolster the checksum support in ironic to reach parity with IPA.
A noted major outcome also needs to be to improve the documentation to appropriately set user context. i.e. is the checksum a security feature, or a data integrity feature. The necessary logic fix itself is relatively simple even though it really requires working all the way through the cache interaction.
Julia Kreger (juliaashleykreger) wrote : | #4 |
Revised patch for review.
Dmitry Tantsur (divius) wrote : | #5 |
In exceptions:
+class ImageChecksumEr
ImageUnacceptable seems to have HTTP code 500, which is wrong here. Btw the same affects the existing ImageInvalid.
In documentation:
> Use of the node ``instance_
I disagree with this statement. It makes sense from the Glance perspective, but for a standalone user, image_checksum is easy to use and to remember (how do you remember the "_os_" part?), especially since the hash algorithm is mostly redundant in real world.
> [conductor]
nit: no need to repeat "conductor" in the option name
In def validate_checksum:
> use_checksum_algo is not None and use_checksum_algo == ''
The first part is completely redundant: if it's '' it's not None. Or did you mean to check use_checksum instead?
+ if not use_checksum_algo:
+ # This is backwards compatible support for a bare checksum.
+ if not CONF.agent.
I'd prefer the md5 logic moved to _get_checksum_
+ LOG.error("Failed to read file %(path)s to compute checksum.",
+ {"path": path})
+ raise exception.
This is not a checksum error though, you're unable to read the *image file*, right? I'd handle it differently.
+ if calculated.lower() != use_checksum.
This will crash if use_checksum is None, which seems to be an accepted case.
In image_cache:
+def _fetch(context, image_href, path, force_raw=False, expected_
+ expected_
New parameters completely unused?
General comment: could you group the new checksum code in a new module, like ironic.
description: | updated |
Changed in ossa: | |
status: | New → Triaged |
assignee: | nobody → Jay Faulkner (jason-oldos) |
description: | updated |
Jay Faulkner (jason-oldos) wrote : | #6 |
Jay Faulkner (jason-oldos) wrote : | #7 |
CVE Request 1731951 is in to MITRE to get a CVE assigned.
Julia Kreger (juliaashleykreger) wrote : | #8 |
Jay, regarding the draft. It looks good except for "As usual, we will provide updated releaes off..."
One thought, we could frame it with "image_
That being said, one could view the same issue if they were to emulate glance v1 and MITM the interaction which would definitely also mean prior versions are impacted as well. I guess the thought processes and question is more how do we present the slice of the issue, or not.
Julia Kreger (juliaashleykreger) wrote : | #9 |
Hey Dmitry, Thanks for the feedback.
I'm unsure if the HTTP return code matters in this case, since we're past task.process_event launching a new worker to handle the next steps of the deployment process. From a point of order standpoint, I'll fix it just in case it ever gets changed/evolved in the future to cover the base concern since I do agree in principal.
Regarding docs, I'll attempt to better split the hair there. Bottom line boils down to we can't block on precise wording for this, but I see your point.
Overall, I suspect some of your comments are driven by some context needing to be added which we already discussed, but you've definitely got some points I likely need to address and I'll move it all to a separate file to lessen back port pain. I may have also misread one of your comments when we discussed, but I should have a new revision by your tomorrow afternoon. Thanks!
Julia Kreger (juliaashleykreger) wrote : | #10 |
Dmitry, regarding your concern of new parameters completely unused, I added them as positional on the callers. I'll fix. Thanks!
Julia Kreger (juliaashleykreger) wrote : | #11 |
Greetings Dmitry, I'm attaching a new version to take a look at. Please let me know what you think. I do need to do a little more work on the unit tests since shifting some of the code over.
Thanks!
Dmitry Tantsur (divius) wrote : | #12 |
Just a thought on disable_
Are you sure you've added checksum_utils to the patch? I cannot see it.
Dmitry Tantsur (divius) wrote : | #13 |
> Dmitry, regarding your concern of new parameters completely unused, I added them as positional on the callers. I'll fix. Thanks!
Seems not fixed still?
Julia Kreger (juliaashleykreger) wrote : | #14 |
Sorry about that, now with checksum_utils.
Julia Kreger (juliaashleykreger) wrote : | #15 |
Regarding IPA, I think that is a hard-no, because we've *always* had the checksum requirement, and so adding a parity feature to it as part of a CVE fix seems like a bad path to take. We set that expectation, and the knob is only to disable the operation on the conductor to enable short term route-around issues.
Regarding the new parameters, they are passed and that explicit change to keyword arg parameters forced unit test changes along the code involved, but sometimes they can be optional based upon the overall code path's invocation. The *key* is the images we deploy though and that is the contract set up which matches IPA's behavior on image downloads and write-outs. The contract being, if someone says "this image with this checksum", we need to verify it, not just ignore the checksum and overwrite the checksum when converted to raw locally.
Julia Kreger (juliaashleykreger) wrote : | #16 |
Chatted with Dmitry because it seemed we were not on the same page. I misread his prior comment about IPA. That would be a feature to have support for that lockout to be extended, the only reason to have it in ironic is because it is technically a feature in parity to help address the overall problem.
He was also able to point out the line I wasn't seeing in the code otherwise, so we're good now. I just need to do some minor cleanup and test changes and we should be good to begin testing in devstack soon().
Julia Kreger (juliaashleykreger) wrote : | #17 |
Dmitry, revised patch is attached with moved testing for the most part. I didn't completely duplicate testing where it made sense as well. Trying to walk a reasonable path there. Please let me know! Thanks!
I'll likely spin up a devstack tomorrow and run this patch through it's paces .
Dmitry Tantsur (divius) wrote : | #18 |
Overall note: I'd appreciate a bit more detailed docstrings for new functions, especially around return values and exceptions (anything for get_checksum_
---
In def get_checksum_
nit: a few cases of re.findall which can be replaced by search since we only care about the first instance (yes, it was probably me who wrote this code initially, I know :)
+ reason='Checksum file empty.')
missing _()
+ reason=("Checksum file does not contain name %s" % expected_fname))
should be
+ reason=_("Checksum file does not contain name %s") % expected_fname)
---
In def get_checksum_
+ # NOTE(TheJulia): This is all based on SHA-2 lengths.
+ # SHA-3 would require a hint, thus ValueError because
+ # it may not be a fixed length. That said, SHA-2 is not
+ # as of this not being added, being withdrawn standards wise.
I'm a bit confused. First, I don't see what ValueError refers to. Second, double "not" in the last sentence. Third, did you mean SHA-3 being withdrawn?
---
In unit tests
+class IronicChecksumU
I'd prefer several classes for different functions (bonus: you can move @mock decorators to the class level).
===
None of the comments are critical, so revision 4 is good to go as far as I'm concerned. Thank you for working on this issue!
Jay Faulkner (jason-oldos) wrote : | #19 |
The diff looks fine to me, I have no additional comments other than this general question:
Why are we even giving people a knob to disable checking the checksum? If we can't articulate a use case for it, I'd be hard pressed to think that hatch should exist -- at least in the master version of the patch. If we want to add it for stable to avoid breaking folks, I can understand that a little.
If there *is* a known case where this can break existing installs; that's also a case that's potentially being exploited today. Why is it OK to let them disable checksum checking?
Jay Faulkner (jason-oldos) wrote (last edit ): | #20 |
A second note: I wouldn't hate having disable_
Note: I still have not been issued a CVE number by mitre. Technically the 5 business days -- the maximum they suggest it will take -- is in a couple of course. I will follow up Monday if I haven't received one yet.
Julia Kreger (juliaashleykreger) wrote : | #21 |
Greetings Jay, The general knob to disable checksum is the escape latch switch for operators to be able to pull when they have applied the fix, where they discover they have users which were sending an incorrect checksum the entire time.
I'm basically -2 to the approach of only having a knob in stable backports because of the increased risk for issues with backports. Given how limited my time is, this change needs to be as clean a fix as possible with as minimal risk as possible.
If at all possible, I need to get this fix shipped next week as well. I'll be testing this week.
If y'all decide we would rather not have a knob, I'm fine with that as well. The bottom line is the knob is an attempt to be nice to operators for when this drops because rebuilds may suddenly break if the original request had a bad checksum. This is also why we loaded in the support for checksums from URLs, because that is a feature which was added to IPA and Ironic needs to be aware of it to navigate how to handle the request if the operator has configured for the image to be converted by the conductor.
Dmitry Tantsur (divius) wrote : | #22 |
Maybe we should insta-deprecate the knob? Otherwise, I agree with Julia's line of thoughts.
Julia Kreger (juliaashleykreger) wrote : | #23 |
I'm totally cool with doing so.
Jay Faulkner (jason-oldos) wrote : Re: [CVE-2024-47211] Ironic sometimes fails to verify checksums of supplied image_source URLs | #24 |
CVE-2024-47211 has been assigned to this security issue.
summary: |
- Ironic fails to verify checksums of supplied image_source URLs when - configured to convert images to raw for streaming + [CVE-2024-47211] Ironic sometimes fails to verify checksums of supplied + image_source URLs |
Jay Faulkner (jason-oldos) wrote : | #25 |
As far as I'm concerned, marking it as deprecated in backports and removing it on master ASAP is essentially a perfect implementation of my suggestion. I'm onboard to keep the knob but insta-deprecate it.
Thanks!
Jay Faulkner (jason-oldos) wrote : | #26 |
- (obsolete) ossa-2024-003-revised-2024-09-23 Edit (2.3 KiB, text/plain)
Updated OSSA with CVE reference attached.
Julia Kreger (juliaashleykreger) wrote : | #27 |
Swapped the knob to insta-deprecate.
While doing basic testing, I realized a slight problem with the original approach which was to only checksum *if* we're doing a conversion. I changed that to go ahead and just always run the checksum if the image fetch is triggered and we have a checksum, from the simple standpoint that it will also provide faster feedback for users. The issue with my approach is the image conversion to raw is split into two parts, the fetch and then later the force to raw, and due to the modeling the checksum was only getting passed in on the first call. Stepping back a little made a bit more sense.
Changed documentation and removed the newly added knob and adjusted the release note.
Overall, a bit more simple. Seems better. I'm post a new patch here in a little bit and y'all can take a look.
Dmitry, also made some of the changes noted, but do also want to sort of get this locked down and begin backporting this week.
Julia Kreger (juliaashleykreger) wrote : | #29 |
Jay, the summary text in the OSSA does need to be revised since we've cut a release last week.
Dmitry Tantsur (divius) wrote : | #30 |
In def get_checksum_
+ raise exception.
+ image_href=
+ reason=("Checksum file does not contain name %s" % expected_fname))
Misspelled exception name ImageDownloadfailed vs ImageDownloadFa
Also missing i18n around the error message.
+ # NOTE(TheJulia): This testing file *lacks* the url testing explicitly,
+ # however that is presently covered by invocation through code testing
+ # in test_deploy_
We probably should get some tests as the issue above shows. I don't think the parsing part is actually covered indirectly.
Jay Faulkner (jason-oldos) wrote : | #31 |
Julia Kreger (juliaashleykreger) wrote : | #32 |
Julia Kreger (juliaashleykreger) wrote : | #33 |
- bug-2076289-dev-master-branch.diff Edit (83.9 KiB, text/plain)
Attached is the latest version of the fix, with the changes Dmitry requested *and* one spelling fix codespell found.
Jay Faulkner (jason-oldos) wrote : | #34 |
A couple minor nitpicks in security.rst:
- When we reference subfields in JSON-based db fields, we usually use forward slash (instance_
- When you reference the config item, you can use the new oslo config reference syntax that we've made consistent throughout the docs.
Neither of these would prevent me from +2'ing the patch and it's backports.
Julia Kreger (juliaashleykreger) wrote : | #35 |
Greetings Jay, Done. Diff below.
+++ b/doc/source/
@@ -38,21 +38,21 @@ Ironic users leverage, outside of the "general" use case capabilities provided
by the ``direct`` deployment interface.
.. NOTE::
- Use of the node ``instance_
+ Use of the node ``instance_
for integrated OpenStack Users as usage of the matching Glance Image
Service field is also deprecated. That being said, Ironic retains this
feature by popular demand while also enabling also retain simplified
operator interaction.
The newer field values supported by Glance are also specifically
- supported by Ironic as ``instance_
- checksum values and ``instance_
+ supported by Ironic as ``instance_
+ checksum values and ``instance_
the checksum algorithm.
.. WARNING::
Setting a checksum value to a URL is supported, *however* doing this is
making a "tradeoff" with security as the remote checksum *can* change.
Conductor support this functionality can be disabled using the
- ``[conductor]
+ :oslo.config:
REST API: user roles and policy settings
======
Julia Kreger (juliaashleykreger) wrote : | #36 |
Julia Kreger (juliaashleykreger) wrote : | #37 |
Julia Kreger (juliaashleykreger) wrote : | #38 |
Julia Kreger (juliaashleykreger) wrote : | #39 |
Julia Kreger (juliaashleykreger) wrote : | #40 |
Julia Kreger (juliaashleykreger) wrote : | #41 |
Julia Kreger (juliaashleykreger) wrote : | #42 |
Julia Kreger (juliaashleykreger) wrote : | #43 |
Julia Kreger (juliaashleykreger) wrote : | #44 |
Julia Kreger (juliaashleykreger) wrote : | #45 |
Julia Kreger (juliaashleykreger) wrote : | #46 |
Julia Kreger (juliaashleykreger) wrote : | #47 |
Julia Kreger (juliaashleykreger) wrote : | #48 |
Dmitry Tantsur (divius) wrote : | #49 |
> Attached is a quick diff for Dmitry.
LGTM (also with the changes Jay requested).
summary: |
- [CVE-2024-47211] Ironic sometimes fails to verify checksums of supplied - image_source URLs + [OSSA-2024-004] Ironic sometimes fails to verify checksums of supplied + image_source URLs (CVE-2024-47211) |
Jay Faulkner (jason-oldos) wrote : | #50 |
embargo-notice and linux-distros list informed per VMT process
Jay Faulkner (jason-oldos) wrote : | #51 |
- ossa-repo-patch-ossa-2024-004.patch Edit (3.1 KiB, text/plain)
A `git am` friendly version of the OSSA patch, since I may be out on disclosure date. Please be sure to edit the yaml to update the gerrit links once they exist.
description: | updated |
information type: | Private Security → Public |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (master) | #52 |
Fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (stable/2024.2) | #53 |
Fix proposed to branch: stable/2024.2
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (stable/2024.1) | #54 |
Fix proposed to branch: stable/2024.1
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (bugfix/26.0) | #55 |
Fix proposed to branch: bugfix/26.0
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (bugfix/25.0) | #56 |
Fix proposed to branch: bugfix/25.0
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (bugfix/24.0) | #57 |
Fix proposed to branch: bugfix/24.0
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (stable/2023.2) | #58 |
Fix proposed to branch: stable/2023.2
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (stable/2023.1) | #59 |
Fix proposed to branch: stable/2023.1
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (unmaintained/zed) | #60 |
Fix proposed to branch: unmaintained/zed
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (unmaintained/yoga) | #61 |
Fix proposed to branch: unmaintained/yoga
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (unmaintained/xena) | #62 |
Fix proposed to branch: unmaintained/xena
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (unmaintained/wallaby) | #63 |
Fix proposed to branch: unmaintained/
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (unmaintained/victoria) | #64 |
Fix proposed to branch: unmaintained/
Review: https:/
information type: | Public → Public Security |
Changed in ossa: | |
status: | Triaged → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (bugfix/26.0) | #65 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: bugfix/26.0
commit 6f653d7b52c49a4
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (bugfix/25.0) | #66 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: bugfix/25.0
commit 799900d1f180ffb
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (bugfix/24.0) | #67 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: bugfix/24.0
commit c164641b4526fad
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (master) | #68 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 00c5e0faf8e435b
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
Changed in ironic: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (stable/2023.2) | #69 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.2
commit b3d85c494af6f69
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (stable/2024.2) | #70 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2024.2
commit afe4f480905fb80
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (stable/2024.1) | #71 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2024.1
commit 0d6b5c9a283b186
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
tags: | added: in-unmaintained-zed |
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (unmaintained/zed) | #72 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: unmaintained/zed
commit 336d76a11198720
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic 23.0.3 | #73 |
This issue was fixed in the openstack/ironic 23.0.3 release.
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic 24.1.3 | #74 |
This issue was fixed in the openstack/ironic 24.1.3 release.
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic 26.1.1 | #75 |
This issue was fixed in the openstack/ironic 26.1.1 release.
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (unmaintained/victoria) | #76 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: unmaintained/
commit 0942a1b198f8035
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
tags: | added: in-unmaintained-victoria |
tags: | added: in-unmaintained-wallaby |
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (unmaintained/wallaby) | #77 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: unmaintained/
commit 2f514be6205c00c
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
tags: | added: in-unmaintained-xena |
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (unmaintained/xena) | #78 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: unmaintained/xena
commit 7afa6ba056969e4
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (stable/2023.1) | #79 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.1
commit b7cc66502e0628c
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (unmaintained/yoga) | #80 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: unmaintained/yoga
commit 2ea32ad666cfa2e
Author: Julia Kreger <email address hidden>
Date: Tue Sep 17 09:57:19 2024 -0700
Checksum files before raw conversion
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4
Signed-off-by: Julia Kreger <email address hidden>
tags: | added: in-unmaintained-yoga |
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic 21.4.4 | #81 |
This issue was fixed in the openstack/ironic 21.4.4 release.
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic 27.0.0 | #82 |
This issue was fixed in the openstack/ironic 27.0.0 release.
Attached is a first pass fix. If I can get a sanity check on it from another ironic-core, that would be much appreciated.