Bug 2305975 (CVE-2024-8007)

Summary: CVE-2024-8007 openstack-tripleo-common: RHOSP Director Disables TLS Verification for Registry Mirrors
Product: [Other] Security Response Reporter: Michal Findra <mfindra>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eglynn, jjoyce, jschluet, lhh, lsvaty, mburns, mgarciac, nobody, owalsh, pgrist, ramishra, rhos-maint, slinaber, ytale
Target Milestone: ---Keywords: Security
Target Release: ---Flags: owalsh: needinfo? (mfindra)
lhh: needinfo? (mfindra)
lhh: needinfo? (mfindra)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the openstack-tripleo-common component of the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2305979, 2305980, 2305982, 2305983, 2305984, 2305985, 2305986, 2305987, 2305988, 2305989, 2305990, 2305991, 2305992, 2305993, 2305994, 2323236    
Bug Blocks:    

Description Michal Findra 2024-08-20 11:04:02 UTC 
RHOSP Director has a "container image prepare" step which generates a
deployment configuration file containing the list of container images to
deploy on the OSP nodes based on the user provided config. It can
optionally populate a local registry and update the configuration file to
reference the locally mirrored images instead.

In the first case, where it just generates the image list, connectivity to
the registry is tested for each of the images unless it is from a
predefined list of secure registries. If TLS verification for this
connection fails then the registry is automatically added to the
DockerInsecureRegistries parameter in the generated config file. This
parameter will ultimately set insecure=true for the referenced registry in
/etc/containers/registry.conf on all hosts while deploying/updating RHOSP
and images will be pulled from the registry insecurely.

In the second case, while mirroring an image, the same connectivity check
is used. If TLS verification of this connection fails then TLS verification
is disabled for the image mirroring task.

With TLS verification disabled a MITM attack delivering tainted container
images would not be detected.
Comment 10 errata-xmlrpc 2024-11-21 09:28:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:9991 https://access.redhat.com/errata/RHSA-2024:9991
Comment 11 errata-xmlrpc 2024-11-21 09:32:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:9990 https://access.redhat.com/errata/RHSA-2024:9990