Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN432
_____________________________________________________________________

DATE                : 28/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ironic versions prior to 26.1.6,
                                   29.0.5, 32.0.1, 35.0.1.

=====================================================================
https://security.openstack.org/ossa/OSSA-2026-008.html
_____________________________________________________________________


OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations

Date:

    April 27, 2026
CVE:

    CVE-2026-pending

Affects

    Ironic: >=4.3.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1,
>=33.0.0 <35.0.1


Description

Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team
reported a vulnerability in Ironic’s IPMI console backends. A project
manager for the project marked as a node.owner can inject arbitrary
commands which a conductor executes on console activation. No console
backends are enabled by default in Ironic. Only installations which
have set [conductor]/enabled_console_interfaces to enable either
ipmitool-shellinabox or ipmitool-socat are vulnerable.


Patches

    https://review.opendev.org/c/openstack/ironic/+/986418 (2023.1/antelope (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/986417 (2024.1/caracal (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/986363 (2024.2/dalmatian)

    https://review.opendev.org/c/openstack/ironic/+/986362 (2025.1/epoxy)

    https://review.opendev.org/c/openstack/ironic/+/986361 (2025.2/flamingo)

    https://review.opendev.org/c/openstack/ironic/+/986235 (2026.1/gazpacho)


Credits

    Dmitry Tantsur from Metal3.io Security Team

    Tuomo Tanskanen from Metal3.io Security Team


References

    https://launchpad.net/bugs/2148331

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending

Notes

    A CVE request was filed with MITRE on 2026-04-27.

    Patches for unmaintained branches are provided as a courtesy.

    The ipmitool-shellinabox console interface is already
scheduled for removal from Ironic for lack of security support
for shellinabox.
Security sensitive operators are strongly encouraged to stop
use of this console interface immediately.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================