OpenStack’s Ironic project, which is used for provisioning bare metal machines, has been identified with a critical security flaw (CVE-2024-44082) that allows authenticated users to exploit unvalidated image data. This vulnerability impacts multiple versions of Ironic and the Ironic-Python-Agent (IPA), potentially leading to unauthorized access to sensitive information due to improper handling of images processed by qemu-img.
The flaw was discovered by security experts Dan Smith and Julia Kreger of Red Hat, and Jay Faulkner of G-Research. It originates from the lack of validation for image data passed to qemu-img during processing. Authenticated attackers could leverage a specially crafted image to trigger unintended actions, potentially exposing sensitive data.
Affected versions include:
Ironic: Versions prior to 21.4.3, between 22.0.0 and 23.0.2, from 23.1.0 to 24.1.2, and between 25.0.0 and 26.0.1.
Ironic-Python-Agent: Versions before 9.4.2, between 9.5.0 and 9.7.1, from 9.8.0 to 9.11.1, and between 9.12.0 and 9.13.1.
To mitigate the CVE-2024-44082 vulnerability, OpenStack has issued patches for all maintained branches of Ironic and Ironic-Python-Agent, from the Dalmatian development branch to Antelope. These updates include code
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: