CVE-2024-31463

Name of the Vulnerable Software and Affected Versions Ironic-image versions prior to 24.1.1

Description The issue affects Ironic-image, an OpenStack Ironic deployment packaged and configured by Metal3, when the reverse proxy mode is enabled by setting the IRONIC REVERSE PROXY SETUP variable to true. In this mode, HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself, and Ironic listens on a private port 6388 on localhost by default. As a result, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. An attacker with enough privileges to launch a pod on the control plane with host networking can access the Ironic API and use it to modify bare-metal machines, e.g., provision them with a new image or change their BIOS settings.

Recommendations For versions prior to 24.1.1, update to version 24.1.1 to resolve the issue. As a temporary workaround, consider disabling the reverse proxy mode by setting the IRONIC REVERSE PROXY SETUP variable to false until a patch is available. Restrict access to the private port 6388 to minimize the risk of exploitation. Avoid using the IRONIC PRIVATE PORT variable unset or set to a numeric value in the reverse proxy mode until the issue is resolved.