PT-2022-27083 · Openstack · Openstack Sushy-Tools
Published
2022-10-29
·
Updated
2023-02-09
·
CVE-2022-44020
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
OpenStack Sushy-Tools versions 0.21.0 and earlier
VirtualBMC versions 2.2.2 and earlier
Description
An issue was discovered where changing the boot device configuration with the affected packages removes password protection from the managed libvirt XML domain. This issue only affects an "unsupported, production-like configuration."
Recommendations
For OpenStack Sushy-Tools versions 0.21.0 and earlier, consider restricting changes to the boot device configuration until a fix is available.
For VirtualBMC versions 2.2.2 and earlier, consider restricting changes to the boot device configuration until a fix is available.
As a temporary workaround, consider disabling the ability to change the boot device configuration to minimize the risk of exploitation.
Fix
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openstack Sushy-Tools