2305975 – (CVE-2024-8007) CVE-2024-8007 openstack-tripleo-common: RHOSP Director Disables TLS Verification for Registry Mirrors

Bug 2305975 (CVE-2024-8007) - CVE-2024-8007 openstack-tripleo-common: RHOSP Director Disables TLS Verification for Registry Mirrors [NEEDINFO]

Summary: CVE-2024-8007 openstack-tripleo-common: RHOSP Director Disables TLS Verificat...

Keywords:
Status:	NEW
Alias:	CVE-2024-8007
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2305979 2305980 2305982 2305983 2305984 2305985 2305986 2305987 2305988 2305989 2305990 2305991 2305992 2305993 2305994 2323236
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-20 11:04 UTC by Michal Findra
Modified:	2025-05-28 08:27 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	owalsh: needinfo? (mfindra) lhh: needinfo? (mfindra) lhh: needinfo? (mfindra)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:9990	0	None	None	None	2024-11-21 09:32:33 UTC
Red Hat Product Errata	RHSA-2024:9991	0	None	None	None	2024-11-21 09:28:52 UTC

Description Michal Findra 2024-08-20 11:04:02 UTC

RHOSP Director has a "container image prepare" step which generates a
deployment configuration file containing the list of container images to
deploy on the OSP nodes based on the user provided config. It can
optionally populate a local registry and update the configuration file to
reference the locally mirrored images instead.

In the first case, where it just generates the image list, connectivity to
the registry is tested for each of the images unless it is from a
predefined list of secure registries. If TLS verification for this
connection fails then the registry is automatically added to the
DockerInsecureRegistries parameter in the generated config file. This
parameter will ultimately set insecure=true for the referenced registry in
/etc/containers/registry.conf on all hosts while deploying/updating RHOSP
and images will be pulled from the registry insecurely.

In the second case, while mirroring an image, the same connectivity check
is used. If TLS verification of this connection fails then TLS verification
is disabled for the image mirroring task.

With TLS verification disabled a MITM attack delivering tainted container
images would not be detected.

Comment 10 errata-xmlrpc 2024-11-21 09:28:50 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:9991 https://access.redhat.com/errata/RHSA-2024:9991

Comment 11 errata-xmlrpc 2024-11-21 09:32:31 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:9990 https://access.redhat.com/errata/RHSA-2024:9990

Note You need to log in before you can comment on or make changes to this bug.