Bug 984802 (CVE-2016-4985) - VUL-0: CVE-2016-4985: openstack-ironic: Ironic Node information including credentials exposed to unauthenticated users
Summary: VUL-0: CVE-2016-4985: openstack-ironic: Ironic Node information including cre...
Status: RESOLVED FIXED
Alias: CVE-2016-4985
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170111/
Whiteboard: CVSSv2:SUSE:CVE-2016-4985:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-15 09:19 UTC by Marcus Meissner
Modified: 2019-09-04 11:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Swamp Workflow Management 2016-06-15 22:00:51 UTC 
bugbot adjusting priority
Comment 5 Marcus Meissner 2016-06-22 07:20:17 UTC 
is public

=============================================================================
Ironic node information including credentials exposed to unathenticated users
=============================================================================

:Date: June 21, 2016
:CVE: CVE-2016-4985


Affects
~~~~~~~
- Ironic: >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1


Description
~~~~~~~~~~~
Devananda van der Veen (IBM) reported the following vulnerability in Ironic.

A client with network access to the ironic-api service can bypass Keystone
authentication and retrieve all information about any Node registered with
Ironic, if they know (or are able to guess) the MAC address of a network card
belonging to that Node, by sending a crafted POST request to the
/v1/drivers/$DRIVER_NAME/vendor_passthru resource.

The response will include the full Node details, including management
passwords, even when /etc/ironic/policy.json is configured to hide passwords in
API responses.

This vulnerability has been verified in all currently supported branches
(liberty, mitaka, master) and traced back to code introduced in commit
3e568fbbbcc5748035c1448a0bdb26306470797c during the Juno development cycle.
Therefore, it is likely that both juno and kilo braches (and their releases)
are also affected.


Patches
~~~~~~~
https://review.openstack.org/332195 (Newton)
https://review.openstack.org/332196 (Mitaka)
https://review.openstack.org/332197 (Liberty)


Credits
~~~~~~~
- Devananda van der Veen from IBM (CVE-2016-4985)

References
~~~~~~~~~~
- https://bugs.launchpad.net/ironic/+bug/1572796
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4985

Notes
~~~~~
- This fix is included in the upcoming 4.2.5 (Liberty), 5.1.2 (Mitaka), and
  6.0.0 (Newton) releases of Ironic.


--
Jim Rollenhagen
OpenStack Ironic Project Team Lead
Comment 6 Swamp Workflow Management 2016-08-05 13:09:38 UTC 
SUSE-SU-2016:1966-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 984802,988729
CVE References: CVE-2016-4985
Sources used:
SUSE OpenStack Cloud 6 (src):    openstack-designate-1.0.3~a0~dev10-6.1, openstack-designate-doc-1.0.3~a0~dev10-6.2, openstack-ironic-4.2.5-6.1, openstack-ironic-doc-4.2.5-6.2, openstack-neutron-vpnaas-7.0.5~a0~dev3-6.1, openstack-neutron-vpnaas-doc-7.0.5~a0~dev3-6.1, openstack-nova-docker-0.0.1~a0~dev238-4.1, openstack-sahara-3.0.3~a0~dev1-6.1, openstack-sahara-doc-3.0.3~a0~dev1-6.1, openstack-tempest-7.0.0-9.1, openstack-trove-4.0.1~a0~dev19-8.1, openstack-trove-doc-4.0.1~a0~dev19-8.1
Comment 7 Dirk Mueller 2019-08-07 16:32:08 UTC 
This is fixed in Cloud6+
Comment 8 Marcus Meissner 2019-09-04 11:26:10 UTC 
released