CVE-2024-31463 Information

Description

Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the IRONIC_REVERSE_PROXY_SETUP variable set to true 1) HTTP basic credentials are validated on the HTTPD side in a separate container not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result when the reverse proxy mode is used any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (INSPECTOR_REVERSE_PROXY_SETUP set to true) although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode which is the recommended mode when TLS is used (also recommended) with the IRONIC_PRIVATE_PORT variable unset or set to a numeric value. In this case an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.

Reference

https://github.com/metal3-io/ironic-image/security/advisories/GHSA-g2cm-9v5f-qg7r https://github.com/metal3-io/ironic-image/pull/494 https://github.com/metal3-io/ironic-image/commit/48e40bd30d49aefabac6fc80204a8650b13d10b4