Comment 1 for bug 1593209

After further analysis and testing, we conclude that this vulnerability does not affect the Ironic drivers that are enabled by default in MOS (fuel-agent based drivers do not have the vendor_passthru/lookup endpoint a bug in which is the root of this vulnerability).

Executing a request crafted as described in this CVE against Ironic node with fuel_ipmitool driver results in the following error response:

400, {"error_message": "{\"debuginfo\":null,\"faultcode\":\"Client\",\"faultstring\":\"No handler for method lookup\"}"}

instead of returning full unmasked node info.

However, we do ship the vulnerable Ironic-Python-Agent-based drivers in MOS (to they are integral part of the upstream code), and operators are free to reconfigure Ironic and enable those drivers/assign them to nodes.

Given all the above, I am marking this bug as of High priority, and recommend to release the fix in the next possible MU for MOS8/9.

As the vulnerability is scheduled to go public before MOS9 GA date, I also recommend that it is appropriately described in MOS9 release info, suggesting operators to avoid using IPA-based Ironic drivers in MOS9 until next MU. A technical bulletin for users of Ironic in MOS8 should also be created with the same warning.