Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the IRONIC_REVERSE_PROXY_SETUP variable set to true, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (INSPECTOR_REVERSE_PROXY_SETUP set to true), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the IRONIC_PRIVATE_PORT variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat OpenShift Container Platform 4.12 | RedHat | openshift4/ose-ironic-rhel9:v4.12.0-202404301511.p0.g9a3e609.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ose-ironic-rhel9:v4.13.0-202405072309.p0.g881e793.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-ironic-rhel9:v4.14.0-202404250639.p0.g0e91ffa.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | openshift4/ose-ironic-rhel9:v4.15.0-202404240736.p0.gc5321a9.assembly.stream.el9 | * |