Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN591
_____________________________________________________________________

DATE                : 04/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ironic versions prior to 35.0.2,
                                  32.0.2, 29.0.6, 26.1.7.

=====================================================================
https://security.openstack.org/ossa/OSSA-2026-017.html
https://security.openstack.org/ossa/OSSA-2026-018.html
https://security.openstack.org/ossa/OSSA-2026-019.html
_____________________________________________________________________


OSSA-2026-017: Script injection during node boot via linux command
line override

Date:

    June 03, 2026
CVE:

    CVE-2026-46447

Affects

    Ironic: >=17.0.0 <26.1.7, >=27.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2

Description

Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology)
from the Metal3.io Security Team reported a vulnerability in Ironic’s
kernel command line override code. A user with access to add or modify
node.driver_info or node.instance_info can create a crafted value to enable
iPXE script execution during the boot process.


Patches

    https://review.opendev.org/c/openstack/ironic/+/991387 (2023.1/antelope (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/991383 (2024.1/caracal (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/991380 (2025.1/epoxy)

    https://review.opendev.org/c/openstack/ironic/+/991377 (2025.2/flamingo)

    https://review.opendev.org/c/openstack/ironic/+/991374 (2026.1/gazpacho)

    https://review.opendev.org/c/openstack/ironic/+/991365 (2026.2/hibscus (development))

    https://review.opendev.org/c/openstack/ironic/+/991371 (Bugfix/33.0)

    https://review.opendev.org/c/openstack/ironic/+/991368 (Bugfix/34.0)

Credits

    Dmitry Tantsur from Red Hat

    Tuomo Tanskanen from Ericsson Software Technology

References

    https://bugs.launchpad.net/ironic/+bug/2150624

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-46447

Notes

    Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches are
provided as a courtesy. Releases 2023.2 (bobcat) and 2024.2 (dalmation) are end
of life and have not had patches provided. See https://releases.openstack.org
for more information on supported releases.

    Ironic bugfix branch patches will be available in git for interested
operators. We will not perform an additional release from these branches.

    This fix removes the ability to put some valid – but unlikely – special
characters into kernel command line overrides. There is an escape hatch for
impacted clouds; setting CONF.conductor.disable_kernel_parameter_parsing to
true will restrict Ironic to only blocking the most dangerous, nonsensical
special characters at the cost of being less security hardened against
future attacks.

_____________________________________________________________________


OSSA-2026-018: File overwrite on Ironic conductor via path traversal
in ISO handling

Date:

    June 03, 2026
CVE:

    CVE-2026-48681

Affects

    Ironic: >=17.0.0 <26.1.7, >=27.0.0 <29.0.6, >=30.0.0 <32.0.2,
>=33.0.0 <35.0.2

Description

Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology)
from the Metal3.io Security Team reported a vulnerability in Ironic’s ISO
handling code. A maliciously crafted ISO image can cause Ironic to perform
path traversal and overwrite files on a conductor’s disk. Similarly, in
the anaconda deploy interface, the same vulnerability can be exploited to
perform path traversal and overwrite files on the target disk during
deployment. Any Ironic user who has access to deploy nodes using
configdrive, a virtual media-based boot interface or the anaconda deploy
interface can exploit this issue.


Patches

    https://review.opendev.org/c/openstack/ironic/+/991388 (2023.1/antelope (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/991384 (2024.1/caracal (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/991381 (2025.1/epoxy)

    https://review.opendev.org/c/openstack/ironic/+/991378 (2025.2/flamingo)

    https://review.opendev.org/c/openstack/ironic/+/991375 (2026.1/gazpacho)

    https://review.opendev.org/c/openstack/ironic/+/991366 (2026.2/hibiscus (development))

    https://review.opendev.org/c/openstack/ironic/+/991372 (Bugfix/33.0)

    https://review.opendev.org/c/openstack/ironic/+/991369 (Bugfix/34.0)

Credits

    Dmitry Tantsur from Red Hat

    Tuomo Tanskanen from Ericsson Software Technology


References

    https://bugs.launchpad.net/ironic/+bug/2148333

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48681


Notes

    Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches
are provided as a courtesy. Releases 2023.2 (bobcat) and 2024.2 (dalmation)
are end of life and have not had patches provided. See
https://releases.openstack.org for more information on supported releases.

    Ironic bugfix branch patches will be available in git for interested
operators. We will not perform an additional release from these branches.

_____________________________________________________________________


OSSA-2026-019: File Extraction from Ironic conductor via pxe_template

Date:

    June 03, 2026
CVE:

    CVE-2026-44917

Affects

    Ironic: >=17.0.0 <26.1.7, >=27.0.0 <29.0.6, >=30.0.0 <32.0.2,
>=33.0.0 <35.0.2

Description

Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology)
from the Metal3.io Security Team reported a vulnerability in Ironic’s boot
interfaces. A project owner or manager with access to modify
node.driver_info[pxe_template] can set it to /etc/ironic/ironic.conf or any
other sensitive file readable by the conductor process. Ironic will then
place this “template file” into a TFTP or HTTP server for netbooting, where
it can be fetched by anything with network access to the conductor. Ironic
intends on completely removing this feature in a future release.


Patches

    https://review.opendev.org/c/openstack/ironic/+/991389 (2023.1/antelope (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/991385 (2024.1/caracal (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/991382 (2025.1/epoxy)

    https://review.opendev.org/c/openstack/ironic/+/991379 (2025.2/flamingo)

    https://review.opendev.org/c/openstack/ironic/+/991376 (2026.1/gazpacho)

    https://review.opendev.org/c/openstack/ironic/+/991367 (2026.2/hibiscus (development))

    https://review.opendev.org/c/openstack/ironic/+/991373 (Bugfix/33.0)

    https://review.opendev.org/c/openstack/ironic/+/991370 (Bugfix/34.0)


Credits

    Dmitry Tantsur from Red Hat

    Tuomo Tanskanen from Ericsson Software Technology


References

    https://bugs.launchpad.net/ironic/+bug/2148319

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44917


Notes

    Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches
are provided as a courtesy. Releases 2023.2 (bobcat) and 2024.2 (dalmation)
are end of life and have not had patches provided. See
https://releases.openstack.org for more information on supported releases.

    Ironic bugfix branch patches will be available in git for interested
operators. We will not perform an additional release from these branches.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================