CVE-2016-4985

Name of the Vulnerable Software and Affected Versions OpenStack Ironic versions prior to 4.2.5 (Liberty) OpenStack Ironic versions 5.x prior to 5.1.2 (Mitaka)

Description The issue allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the "v1/drivers/$DRIVER NAME/vendor passthru" resource.

Recommendations For OpenStack Ironic versions prior to 4.2.5 (Liberty), update to version 4.2.5 or later. For OpenStack Ironic versions 5.x prior to 5.1.2 (Mitaka), update to version 5.1.2 or later. As a temporary workaround, consider restricting access to the v1/drivers/$DRIVER NAME/vendor passthru resource until a patch is available.