openstack/ossa
Code Issues Proposed changes

Add OSSA-2024-003 (CVE-2024-44082)

Browse Source 
Closes-bug: 2071740
Change-Id: I4595429e69834739dce2380a8a602f521271cb03
This commit is contained in:
Brian Rosmaita 2024-08-23 18:17:28 -04:00
parent ba3a6916ac
commit 8d3e8bb3ae
1 changed files with 169 additions and 0 deletions

169
ossa/OSSA-2024-003.yaml Normal file

@ -0,0 +1,169 @@
date: 2024-09-04
id: OSSA-2024-003
title: Unvalidated image data passed to qemu-img
description: |+
Dan Smith and Julia Kreger of Red Hat and Jay Faulkner of G-Research
noticed a vulnerability in image processing for Ironic, in which a
specially crafted image could be used by an authenticated user to
exploit undesired behaviors in qemu-img, including possible unauthorized
access to potentially sensitive data.
Mitigation
----------
The attached patches contain code allowing Ironic and the Ironic-Python-Agent
(IPA) to pre-screen images before passing them to qemu-img. You should
patch both of them because in some popular deployment configurations, it is
possible for images to bypass the Ironic conductor for more efficient image
downloads.
In situations where it is not possible to patch IPA, there is a new
configuration option, ``[conductor]conductor_always_validates_images``.
When this option is True, all image downloads are forced to occur through
the Ironic conductor, where they are validated. However, this may incur
a significant performance hit; hence our recommendation to patch both Ironic
and IPA.
Patches are available for both Ironic and IPA for all maintained branches,
namely, the Dalmatian development branch (current master) through Antelope.
For these branches, ``conductor_always_validates_images`` defaults to False.
For the unmaintained branches (Zed through Victoria), patches are not
available for IPA due to a significant risk of regressions. For these
branches, the Ironic patches set ``conductor_always_validates_images`` to
True, as this is the only safe way to run Ironic with an un-patched IPA.
Cached images
-------------
Images in the Ironic image cache should be purged. To purge the cache,
stop the Ironic conductor and remove the files in the
``[pxe]/instance_master_path`` directory on that conductor node.
Supported image formats
-----------------------
A new configuration option, ``[conductor]permitted_image_formats`` controls
what image formats will be accepted by Ironic. By default, the allowed
formats are 'raw' and 'qcow2', which are the only formats that Ironic is
tested with. In previous releases, it was possible to use images of other,
unsupported formats with Ironic, but this is now blocked by default due to
security issues arising from the image conversion process. It is possible,
though not recommended, to expand the list of permitted formats.
Alternatively, users requiring the use of an image in an unsupported format
can convert the image offline into a supported format before uploading the
image to Glance or otherwise making the image available to Ironic. Consult
the Ironic documentation for details.
Warning
-------
As is well-documented, the OpenStack Ironic project does not support the
use of ironic-lib for non-Ironic use cases. In its normal supported context,
ironic-lib assumes that images have been pre-screened before ironic-lib
comes in contact with them. Thus, unsupported use of ironic-lib leaves
you vulnerable to the exploit outlined in this OSSA.
The Ironic project intends eventually to explicitly remove the vulnerable
methods in ironic-lib, but reminds the reader that independent use of
ironic-lib is not supported.
Bugfix branches
---------------
Patches are available for maintained bugfix branches. These patches will
be merged to the maintained branches, but no new releases will be triggered
from those branches.
affected-products:
- product: Ironic
version: '<21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1'
- product: Ironic-Python-Agent
version: '<9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1'
vulnerabilities:
- cve-id: CVE-2024-44082
reporters:
- name: Dan Smith
affiliation: Red Hat
reported:
- CVE-2024-44082
- name: Jay Faulkner
affiliation: G-Research
reported:
- CVE-2024-44082
- name: Julia Kreger
affiliation: Red Hat
reported:
- CVE-2024-44082
issues:
links:
- https://launchpad.net/bugs/2071740
reviews:
2024.2/dalmatian(ironic):
- https://review.opendev.org/927965
2024.2/dalmatian(ironic-python-agent):
- https://review.opendev.org/927974
2024.1/caracal(ironic):
- https://review.opendev.org/927968
2024.1/caracal(ironic-python-agent):
- https://review.opendev.org/927976
2023.2/bobcat(ironic):
- https://review.opendev.org/927970
2023.2/bobcat(ironic-python-agent):
- https://review.opendev.org/927978
2023.1/antelope(ironic):
- https://review.opendev.org/927972
2023.1/antelope(ironic-python-agent):
- https://review.opendev.org/927979
unmaintained/zed(ironic):
- https://review.opendev.org/927973
unmaintained/yoga(ironic):
- https://review.opendev.org/927975
unmaintained/xena(ironic):
- https://review.opendev.org/927977
unmaintained/wallaby(ironic):
- https://review.opendev.org/927980
unmaintained/victoria(ironic):
- https://review.opendev.org/927982
bugfix/26.0 (ironic):
- https://review.opendev.org/927966
bugfix/25.0 (ironic):
- https://review.opendev.org/927967
bugfix/24.0 (ironic):
- https://review.opendev.org/927969
bugfix/9.13 (ironic-python-agent):
- https://review.opendev.org/927981
bugfix/9.12 (ironic-python-agent):
- https://review.opendev.org/927983
bugfix/9.9 (ironic-python-agent):
- https://review.opendev.org/927984
notes:
- For more information about the unadvisability of calling 'qemu-img info'
on untrusted images, see CVE-2024-04467.
- The ironic unmaintained/* branches will receive no point releases, but
patches for them are provided as a courtesy.
- The ironic-python-agent unmaintained/* branches will receive no point
releases, nor are patches for them available.
- The ironic and ironic-python-agent bugfix/* branches will receive no
point releases, but patches for them are provided as a courtesy.