00c5e0faf8
While working another issue, we discovered that support added to the ironic-conductor process combined the image_download_source option of "local" with the "force_raw" option resulted in a case where Ironic had no concept to checksum the files *before* the conductor process triggered an image format conversion and then records new checksum values. In essence, this opened the user requested image file to be suspetible to a theoretical man-in-the-middle attack OR the remote server replacing the content with an unknown file, such as a new major version. The is at odds with Ironic's security model where we do want to ensure the end user of ironic is asserting a known checksum for the image artifact they are deploying, so they are aware of the present state. Due to the risk, we chose to raise this as a CVE, as infrastructure operators should likely apply this patch. As a note, if your *not* forcing all images to be raw format through the conductor, then this issue is likely not a major issue for you, but you should still apply the patch. This is being tracked as CVE-2024-47211. Closes-Bug: 2076289 Change-Id: Id6185b317aa6e4f4363ee49f77e688701995323a Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
45 lines
2.2 KiB
YAML
45 lines
2.2 KiB
YAML
---
|
|
security:
|
|
- |
|
|
An issue in Ironic has been resolved where image checksums would not be
|
|
checked prior to the conversion of an image to a ``raw`` format image from
|
|
another image format.
|
|
|
|
With default settings, this normally would not take place, however the
|
|
``image_download_source`` option, which is available to be set at a
|
|
``node`` level for a single deployment, by default for that baremetal node
|
|
in all cases, or via the ``[agent]image_download_source`` configuration
|
|
option when set to ``local``. By default, this setting is ``http``.
|
|
|
|
This was in concert with the ``[DEFAULT]force_raw_images`` when set to
|
|
``True``, which caused Ironic to download and convert the file.
|
|
|
|
In a fully integrated context of Ironic's use in a larger OpenStack
|
|
deployment, where images are coming from the Glance image service, the
|
|
previous pattern was not problematic. The overall issue was introduced as
|
|
a result of the capability to supply, cache, and convert a disk image
|
|
provided as a URL by an authenticated user.
|
|
|
|
Ironic will now validate the user supplied checksum prior to image
|
|
conversion on the conductor. This can be disabled using the
|
|
``[conductor]disable_file_checksum`` configuration option.
|
|
fixes:
|
|
- |
|
|
Fixes a security issue where Ironic would fail to checksum disk image
|
|
files it downloads when Ironic had been requested to download and convert
|
|
the image to a raw image format. This required the
|
|
``image_download_source`` to be explicitly set to ``local``, which is not
|
|
the default.
|
|
|
|
This fix can be disabled by setting
|
|
``[conductor]disable_file_checksum`` to ``True``, however this
|
|
option will be removed in new major Ironic releases.
|
|
|
|
As a result of this, parity has been introduced to align Ironic to
|
|
Ironic-Python-Agent's support for checksums used by ``standalone``
|
|
users of Ironic. This includes support for remote checksum files to be
|
|
supplied by URL, in order to prevent breaking existing users which may
|
|
have inadvertently been leveraging the prior code path. This support can
|
|
be disabled by setting
|
|
``[conductor]disable_support_for_checksum_files`` to ``True``.
|