Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (`INSPECTOR_REVERSE_PROXY_SETUP` set to `true`), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the `IRONIC_PRIVATE_PORT` variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-17T15:21:49.384Z

Updated: 2024-08-02T01:52:57.081Z

Reserved: 2024-04-03T17:55:32.647Z

Link: CVE-2024-31463

cve-icon Vulnrichment

Updated: 2024-07-05T15:20:44.652Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-17T16:15:08.637

Modified: 2024-11-21T09:13:34.760

Link: CVE-2024-31463

cve-icon Redhat

Severity : Low

Publid Date: 2024-04-17T00:00:00Z

Links: CVE-2024-31463 - Bugzilla