{ "threat_severity" : "Low", "public_date" : "2024-04-17T00:00:00Z", "bugzilla" : { "description" : "ironic-image: Unauthenticated local access to Ironic API", "id" : "2275847", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2275847" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-288", "details" : [ "Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (`INSPECTOR_REVERSE_PROXY_SETUP` set to `true`), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the `IRONIC_PRIVATE_PORT` variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.", "A vulnerability was found in Ironic-image. This issue occurs when setting IRONIC_REVERSE_PROXY_SETUP to 'true', which may allow unauthenticated local access to the Ironic API private port without authentication." ], "statement" : "Red Hat rates this as a low impact vulnerability as expected this should be high complexity and requirements for an attacker to obtain benefits and privileges in an environment.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2024-05-16T00:00:00Z", "advisory" : "RHSA-2024:2782", "cpe" : "cpe:/a:redhat:openshift:4.12::el9", "package" : "openshift4/ose-ironic-rhel9:v4.12.0-202404301511.p0.g9a3e609.assembly.stream.el9" }, { "product_name" : "Red Hat OpenShift Container Platform 4.13", "release_date" : "2024-05-23T00:00:00Z", "advisory" : "RHSA-2024:2875", "cpe" : "cpe:/a:redhat:openshift:4.13::el9", "package" : "openshift4/ose-ironic-rhel9:v4.13.0-202405072309.p0.g881e793.assembly.stream.el9" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2024-05-09T00:00:00Z", "advisory" : "RHSA-2024:2668", "cpe" : "cpe:/a:redhat:openshift:4.14::el9", "package" : "openshift4/ose-ironic-rhel9:v4.14.0-202404250639.p0.g0e91ffa.assembly.stream.el9" }, { "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2024-05-02T00:00:00Z", "advisory" : "RHSA-2024:2068", "cpe" : "cpe:/a:redhat:openshift:4.15::el9", "package" : "openshift4/ose-ironic-rhel9:v4.15.0-202404240736.p0.gc5321a9.assembly.stream.el9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-31463\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-31463\nhttps://github.com/metal3-io/ironic-image/security/advisories/GHSA-g2cm-9v5f-qg7r" ], "name" : "CVE-2024-31463", "mitigation" : { "value" : "Below are two mitigations for this vulnerability:\n1. Switch to using unix sockets for traffic between HTTPD and Ironic/Inspector (recommended). Set the variables IRONIC_PRIVATE_PORT and IRONIC_INSPECTOR_PRIVATE_PORT to the value unix.\nOR \n2. Temporarily stop using the reverse proxy mode (set IRONIC_REVERSE_PROXY_SETUP and INSPECTOR_REVERSE_PROXY_SETUP to false).", "lang" : "en:us" }, "csaw" : false }