#VU98123 Improper validation of integrity check value in Ironic - CVE-2024-47211


Vulnerability identifier: #VU98123

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-47211

CWE-ID: CWE-354

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ironic
Server applications / Virtualization software

Vendor: Openstack

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ironic: 20.1.0 - 20.1.3-8, 21.1.0 - 21.1.2-4, 21.4.0 - 21.4.3, 22.0.0, 22.1.0, 23.0.0 - 23.0.2-4, 23.1.0, 24.0.0, 24.1.0 - 24.1.2-3, 25.0.0, 26.0.0

External links
https://github.com/openstack/ironic/compare/24.1.2...26.1.0
https://security.openstack.org/ossa/OSSA-2024-004.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Improper validation of integrity check value in Red Hat OpenStack 17.1 packages
Improper validation of integrity check value in Red Hat OpenStack 18.0 packages
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.16
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17
Improper access control in OpenStack Ironic