There is an SQL-injection vulnerability in the inpector's node_cache.find_node(). This function makes an SQL query using unescaped data received on the wire from a server reporting inspection results (specifically, via a POST to the /v1/continue endpoint). The unescaped data should not be trusted - the API is unauthenticated and it's likely that anything with access to the network on which ironic-inspector is listening could exploit the vulnerability. Because of how the results of the query are used, there appears to be no way to exploit this vulnerability to exfiltrate data. It could be exploited for destructive ends by passing malicious data (e.g. "\'; DROP DATABASE;\'"). Every release from RHOS 8 on is affected.
Acknowledgments: Name: Zane Bitter (Red Hat)
Created openstack-ironic-inspector tracking bugs for this issue: Affects: openstack-rdo [bug 1712186]
Upstream patch: https://review.opendev.org/660234
Upstream patches: queens 7.2.4 -https://review.opendev.org/#/c/660306/1, rocky 8.0.3 - https://review.opendev.org/#/c/660305/1 ocata 5.0.2 - https://review.opendev.org/#/c/660310/1 pike 6.0.3 - https://review.opendev.org/#/c/660308/1 stein 8.2.1 - https://review.opendev.org/#/c/660304/1
External References: https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata
This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:1669 https://access.redhat.com/errata/RHSA-2019:1669
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2019:1722 https://access.redhat.com/errata/RHSA-2019:1722
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:1734 https://access.redhat.com/errata/RHSA-2019:1734
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10141
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) director Via RHSA-2019:2505 https://access.redhat.com/errata/RHSA-2019:2505