2364264 – (CVE-2025-44021) CVE-2025-44021 openstack-ironic: unsafe image file:// paths

Bug 2364264 (CVE-2025-44021) - CVE-2025-44021 openstack-ironic: unsafe image file:// paths

Summary: CVE-2025-44021 openstack-ironic: unsafe image file:// paths

Keywords:
Status:	NEW
Alias:	CVE-2025-44021
Deadline:	2025-05-08
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-06 00:14 UTC by OSIDB Bzimport
Modified:	2025-05-09 05:15 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-06 00:14:45 UTC

Before this change, Ironic did not filter file:// paths when used as an
image source except to ensure they were a file (and not, e.g. a
character device). This is problematic from a security perspective
because you could end up with config files from well-known paths being
written to disk on a node.

The allowlist default list is huge, but it includes all known usages of
file:// URLs across Bifrost, Ironic, Metal3, and OpenShift in both CI
and default configuration.

For the backportable version of this patch for stable branches, we have
omitted the unconditional block of system paths in order to permit
operators using those branches to fully disable the new security
functionality.

Note You need to log in before you can comment on or make changes to this bug.