Bug 2364264 (CVE-2025-44021)

Summary: CVE-2025-44021 openstack-ironic: unsafe image file:// paths
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eglynn, jjoyce, jschluet, lhh, lsvaty, mburns, mgarciac, pgrist, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Ironic. It did not filter file:// paths when used as an image source except to ensure they were a file. This issue could cause config files from well-known paths to be written to disk on a node.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-05-08   

Description OSIDB Bzimport 2025-05-06 00:14:45 UTC 
Before this change, Ironic did not filter file:// paths when used as an
image source except to ensure they were a file (and not, e.g. a
character device). This is problematic from a security perspective
because you could end up with config files from well-known paths being
written to disk on a node.

The allowlist default list is huge, but it includes all known usages of
file:// URLs across Bifrost, Ironic, Metal3, and OpenShift in both CI
and default configuration.

For the backportable version of this patch for stable branches, we have
omitted the unconditional block of system paths in order to permit
operators using those branches to fully disable the new security
functionality.