An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration."
Created python-sushy-tools tracking bugs for this issue: Affects: openstack-rdo [bug 2142679]
Created python-virtualbmc tracking bugs for this issue: Affects: fedora-all [bug 2142980] Affects: openstack-rdo [bug 2142981]
There is not sushy-tools 0.22.0, https://opendev.org/openstack/sushy-tools/tags should fixed-in-version be 0.21.1 instead?
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 - ELS Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2022:8896 https://access.redhat.com/errata/RHSA-2022:8896
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-44020