OpenStack Ironic Denial-of-Service Vulnerability via Infinite Loop in Checksum Calculations

A denial-of-service vulnerability has been identified in OpenStack Ironic versions through 35.x prior to a3f6d73. The issue arises during image handling when an authenticated user can specify a file URL pointing to an infinite byte stream, such as file:///dev/zero. This causes the checksum calculation process to enter an infinite loop, stalling the associated worker thread indefinitely. The vulnerability exploits a logic error where checksum validations are performed before checking the URL against a blocklist of sensitive file paths. As a result, the conductor threads can be exhausted, leading to a full service denial-of-service condition.

Impact

Exploitation of this vulnerability permanently stalls the Ironic conductor worker threads, causing a resource exhaustion issue. Each deployment request that uses a blocked file URL like /dev/zero consumes one thread indefinitely. With concurrent requests, all available conductor threads can be exhausted, causing a complete service denial.

Reproduction

The vulnerability can be reproduced in a standalone OpenStack Ironic deployment with an authenticated user. After creating a node and enrolling it for provisioning, the instance_info.image_source can be set to file:///dev/zero. Once the node is activated for deployment, the conductor thread will hang indefinitely while computing the checksum, effectively stalling the deployment process.

Remediation

Users can update to OpenStack Ironic versions 35.0.1 or later, where this vulnerability has been patched.