Bug 2315010 (CVE-2024-47211)

Summary: CVE-2024-47211 openstack-ironic: Lack of checksum validation on images
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asdas, bmontgom, dpaolell, eglynn, eparis, jburrell, jdelft, jjoyce, jschluet, jupierce, lgarciaa, lhh, lsvaty, mbenatto, mbiarnes, mburns, mgarciac, nstielau, pgrist, rhos-maint, rpittau, sbaker, security-response-team, sidsharm, sponnaga, talessio, vlaad, ximhan, yuxzhu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenStack Ironic. The lack of checksum verification allows an attacker with access to the images to modify an image without the change noticed by OpenStack. This issue leads to integrity issues in the image.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2315015, 2315016    
Bug Blocks:    
Deadline: 2024-10-03   

Description OSIDB Bzimport 2024-09-26 20:20:05 UTC 
There's a flaw in Ironic where images may not have their checksum validated before conversion, potentially permitting man-in-the-middle attacks modifying image data.
Comment 2 errata-xmlrpc 2024-10-23 05:29:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:8229 https://access.redhat.com/errata/RHSA-2024:8229
Comment 3 errata-xmlrpc 2024-10-30 01:13:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8415 https://access.redhat.com/errata/RHSA-2024:8415
Comment 4 errata-xmlrpc 2025-01-22 15:55:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Services on OpenShift 18.0

Via RHSA-2025:0439 https://access.redhat.com/errata/RHSA-2025:0439
Comment 5 errata-xmlrpc 2025-04-07 22:34:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:3482 https://access.redhat.com/errata/RHSA-2025:3482