After further analysis and testing, we conclude that this vulnerability does not affect the Ironic drivers that are enabled by default in MOS (fuel-agent based drivers do not have the vendor_passthru/lookup endpoint a bug in which is the root of this vulnerability).
Executing a request crafted as described in this CVE against Ironic node with fuel_ipmitool driver results in the following error response:
400, {"error_message": "{\"debuginfo\":null,\"faultcode\":\"Client\",\"faultstring\":\"No handler for method lookup\"}"}
instead of returning full unmasked node info.
However, we do ship the vulnerable Ironic-Python-Agent-based drivers in MOS (to they are integral part of the upstream code), and operators are free to reconfigure Ironic and enable those drivers/assign them to nodes.
Given all the above, I am marking this bug as of High priority, and recommend to release the fix in the next possible MU for MOS8/9.
As the vulnerability is scheduled to go public before MOS9 GA date, I also recommend that it is appropriately described in MOS9 release info, suggesting operators to avoid using IPA-based Ironic drivers in MOS9 until next MU. A technical bulletin for users of Ironic in MOS8 should also be created with the same warning.
After further analysis and testing, we conclude that this vulnerability does not affect the Ironic drivers that are enabled by default in MOS (fuel-agent based drivers do not have the vendor_ passthru/ lookup endpoint a bug in which is the root of this vulnerability).
Executing a request crafted as described in this CVE against Ironic node with fuel_ipmitool driver results in the following error response:
400, {"error_message": "{\"debuginfo\ ":null, \"faultcode\ ":\"Client\ ",\"faultstring \":\"No handler for method lookup\"}"}
instead of returning full unmasked node info.
However, we do ship the vulnerable Ironic- Python- Agent-based drivers in MOS (to they are integral part of the upstream code), and operators are free to reconfigure Ironic and enable those drivers/assign them to nodes.
Given all the above, I am marking this bug as of High priority, and recommend to release the fix in the next possible MU for MOS8/9.
As the vulnerability is scheduled to go public before MOS9 GA date, I also recommend that it is appropriately described in MOS9 release info, suggesting operators to avoid using IPA-based Ironic drivers in MOS9 until next MU. A technical bulletin for users of Ironic in MOS8 should also be created with the same warning.