logo

Database

Improper authorization control for web services In github.com/metal3-io/ironic-standalone-operator

Description

Ironic Standalone Operator's controller modifies user-owned resources without consent

Impact

The Ironic Standalone Operator (IRSO) is the operator to maintain an Ironic deployment for Metal3. IRSO controller automatically adds its environment label to user-provided Secrets and ConfigMaps without the resource owner's consent. A high-privilege controller modifying user-owned resources constitutes an unauthorized integrity violation. Deployments running IrSO v0.7.0 through v0.8.1 that reference user-provided Secrets or ConfigMaps (TLS certificates, BMC CA, trusted CA) are affected.

Patches

Fixed in v0.9.0, v0.8.2, v0.7.3.

Workarounds

Manually add the environment label (ironic-standalone-operator.metal3.io/environment) to all user-provided Secrets and ConfigMaps before they are referenced in the Ironic resource. This prevents the controller from modifying them.

Resources

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-hfc8-w5f4-3x6m2. GCVE-GHSA-hfc8-w5f4-3x6m

References

1. https://github.com/metal3-io/ironic-standalone-operator/security/advisories/GHSA-hfc8-w5f4-3x6m2. https://github.com/metal3-io/ironic-standalone-operator/pull/6193. https://github.com/metal3-io/ironic-standalone-operator/pull/6644. https://github.com/metal3-io/ironic-standalone-operator/pull/665

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.