8dd6589e66
Virtual media devices based logic needs to be guarded from being used or considered based upon if the machine actually booted from virtual media, or not. At the same time, actual devices need to be checked in order to make sure they align with what we expect in order to prevent consideration of content which should not be leveraged. Change-Id: If2d5c6f4815c9e42798a2d96d59015e1b1dbd457 Story: 2008749 Task: 42108
31 lines
1.4 KiB
YAML
31 lines
1.4 KiB
YAML
---
|
|
security:
|
|
- |
|
|
Addresses a potential vector in which an system authenticated malicious
|
|
actor could leveraged data left on disk in some limited cases to make the
|
|
API of the ``ironic-python-agent`` attackable, or possibly break cleaning
|
|
processes to prevent the machine from being able to be returned to the
|
|
available pool. Please see `story 2008749 <https://storyboard.openstack.org/#!/story/2008749>`_
|
|
for more information.
|
|
fixes:
|
|
- |
|
|
Adds validation of Virtual Media devices in order to prevent existing
|
|
partitions on the system from being considered as potential sources of IPA
|
|
configuration data.
|
|
- |
|
|
Adds check into the configuration load from virtual media, to ensure it
|
|
only occurs when the machine booted from virtual media.
|
|
issues:
|
|
- |
|
|
Logic around virtual media device validation is now much more strict,
|
|
and may not work in all cases. Should you discover a case, please provide
|
|
the output from ``lsblk -P -O`` with a virtual media device attached to the
|
|
Ironic development community via
|
|
`Storyboard <https://storyboard.openstack.org/#!/project/947>`_.
|
|
- |
|
|
Internal logic to copy configuration data from virtual media now requires
|
|
the ``boot_method=vmedia`` flag to be set on the kernel command line of
|
|
the bootloader for the virtual media. Operators crafting custom boot
|
|
ISOs, should ensure that the appropriate command line is being added in
|
|
any custom build processes.
|