Impact
Ironic-image is Metal3 packaged OpenStack Ironic. Dan Smith and Julia Kreger of Red Hat and Jay Faulkner of G-Research noticed a vulnerability in image processing for Ironic, in which a specially crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data.
In case of Metal3, the vulnerability can be triggered by supplying a malicious image into the image.url field of BareMetalHost. It may allow the attacker to gain access to the container where Ironic is running.
Patches
Operators should upgrade their Ironic image to at least version v24.0.1, v24.1.2, v25.0.1 or v26.0.1, depending on which release series they are using. Users of older releases series are urgently advised to upgrade to a supported one.
Additionally, operators should upgrade their IPA (ironic-python-agent) images to the latest version. In Metal3, when ironic-ipa-downloader is used, it is enough to remove any local caches (e.g. a host volume) and restart the ironic-ipa-downloader container as Metal3 by default uses latest IPA images.
It is important to note that the Ironic fix changes the supported image formats to QCOW2 and RAW images, while Metal3 declares support for VMDK and VDI images too. The users are highly advised to only use QCOW2 and RAW images since only they are tested by the Ironic and Metal3 projects. If it is not possible, Ironic image can be started with the environment variable OS_CONDUCTOR__PERMITTED_IMAGE_FORMATS set to raw,qcow2,iso,vmdk,vdi.
Workarounds
No known workarounds.
References
Impact
Ironic-image is Metal3 packaged OpenStack Ironic. Dan Smith and Julia Kreger of Red Hat and Jay Faulkner of G-Research noticed a vulnerability in image processing for Ironic, in which a specially crafted image could be used by an authenticated user to exploit undesired behaviors in
qemu-img, including possible unauthorized access to potentially sensitive data.In case of Metal3, the vulnerability can be triggered by supplying a malicious image into the
image.urlfield ofBareMetalHost. It may allow the attacker to gain access to the container where Ironic is running.Patches
Operators should upgrade their Ironic image to at least version v24.0.1, v24.1.2, v25.0.1 or v26.0.1, depending on which release series they are using. Users of older releases series are urgently advised to upgrade to a supported one.
Additionally, operators should upgrade their IPA (ironic-python-agent) images to the latest version. In Metal3, when ironic-ipa-downloader is used, it is enough to remove any local caches (e.g. a host volume) and restart the ironic-ipa-downloader container as Metal3 by default uses latest IPA images.
It is important to note that the Ironic fix changes the supported image formats to QCOW2 and RAW images, while Metal3 declares support for VMDK and VDI images too. The users are highly advised to only use QCOW2 and RAW images since only they are tested by the Ironic and Metal3 projects. If it is not possible, Ironic image can be started with the environment variable
OS_CONDUCTOR__PERMITTED_IMAGE_FORMATSset toraw,qcow2,iso,vmdk,vdi.Workarounds
No known workarounds.
References