First published: Tue Jun 14 2016(Updated: )
A client with network access to the ironic-api service can bypass Keystone authentication and retrieve all information about any Node registered with Ironic, if they know (or are able to guess) the MAC address of a network card belonging to that Node, by sending a crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru resource. The response will include the full Node details, including management passwords, even when /etc/ironic/policy.json is configured to hide passwords in API responses. This vulnerability has been verified in all currently supported branches (liberty, mitaka, master) and traced back to code introduced in commit 3e568fbbbcc5748035c1448a0bdb26306470797c during the Juno development cycle. Therefore, it is likely that both juno and kilo branches (and their releases) are also affected. Affected versions: >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Openstack | =7.0 | |
Redhat Openstack | =8 | |
Canonical Openstack Ironic | <=4.2.4 | |
Canonical Openstack Ironic | =5.1.0 | |
Canonical Openstack Ironic | =5.1.1 | |
pip/ironic | >=5.0<5.1.2 | 5.1.2 |
pip/ironic | <4.2.5 | 4.2.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.