#1135255 CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations #1135255
- Package:
- src:ironic
- Source:
- src:ironic
- Submitter:
- Thomas Goirand
- Date:
- 2026-05-26 21:19:01 UTC
- Severity:
- normal
- Tags:
Copying from: https://security.openstack.org/ossa/OSSA-2026-008.html Date: April 27, 2026 CVE: CVE-2026-42510 Affects Ironic: >=4.3.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1 Description Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team reported a vulnerability in Ironic’s IPMI console backends. A project manager for the project marked as a node.owner can inject arbitrary commands which a conductor executes on console activation. No console backends are enabled by default in Ironic. Only installations which have set [conductor]/enabled_console_interfaces to enable either ipmitool-shellinabox or ipmitool-socat are vulnerable. Errata When the original advisory was published a CVE number was not assigned. CVE-2026-42510 was assigned on 2026-04-29. Patches https://review.opendev.org/c/openstack/ironic/+/986418 (2023.1/antelope (unmaintained)) https://review.opendev.org/c/openstack/ironic/+/986417 (2024.1/caracal (unmaintained)) https://review.opendev.org/c/openstack/ironic/+/986363 (2024.2/dalmatian) https://review.opendev.org/c/openstack/ironic/+/986362 (2025.1/epoxy) https://review.opendev.org/c/openstack/ironic/+/986361 (2025.2/flamingo) https://review.opendev.org/c/openstack/ironic/+/986235 (2026.1/gazpacho) Credits Dmitry Tantsur from Metal3.io Security Team Tuomo Tanskanen from Metal3.io Security Team References https://launchpad.net/bugs/2148331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42510 Notes A CVE request was filed with MITRE on 2026-04-27. Patches for unmaintained branches are provided as a courtesy. The ipmitool-shellinabox console interface is already scheduled for removal from Ironic for lack of security support for shellinabox. Security sensitive operators are strongly encouraged to stop use of this console interface immediately. OSSA History 2026-04-29 - Errata 1 2026-04-27 - Original Version
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/99d32cfd2a4870b1a7883e00a6ee478174396730 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/3dc2ee6307b0db3e1d40ec3c9d7b54579c66e7e7 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/83f54c91e14c79e378323d6fa1453da039910cb1 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/d06c0ca94699cad2b0e919e586df018400fdb752 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/9a8e9bbec26bf570b3f371e2bd70db470b4160f2 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/2c2adff0dd6f5a945aee25715432ac43c1ff21d9 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/4ac03e3852300db8d3518d4b02e0d34c032b78fc ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/2178fc31066b8f1d9855f09a1d01eed0de57a985 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/5cc4660ef7f64ca8838e2449b107733efaec6484 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). * CVE-2025-44021: Ironic fails to restrict paths used for file:// image URLs. Add upstream patch: OSSA-2025-001_Disallow+unsafe_image_file_paths.patch. (Closes: #1104964). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/3009aaa54816fe06ba10b1aa39390cf6207efe26 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/6fdcfbb582ba31ea3253a902106886c0c041131f ------------------------------------------------------------------------ * New upstream release. Include fix for: - CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via Ironic’s idrac Configuration molds Feature (Closes: #1135898). - CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/686728947a7fe357566e25cf0f2379a5dc58ca62 ------------------------------------------------------------------------ * New upstream release. Include fixes for: - CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via Ironic’s idrac Configuration molds Feature (Closes: #1135898). - CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
Hello, Bug #1135255 in ironic reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/ironic/-/commit/9a03b4ddd250b5fa771829b2cb22cc3eac911608 ------------------------------------------------------------------------ * CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations. Applied upstream patch: "Shell-quote console command passed to socat" (Closes: #1135255). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135255
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 30 Apr 2026 10:41:21 +0200
Source: ironic
Architecture: source
Version: 1:21.1.0-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1104964 1135255 1135898 1136005
Changes:
ironic (1:21.1.0-3+deb12u1) bookworm; urgency=medium
.
* CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
Implementations. Applied upstream patch: "Shell-quote console command
passed to socat" (Closes: #1135255).
* CVE-2025-44021: Ironic fails to restrict paths used for file:// image URLs.
Add upstream patch: OSSA-2025-001_Disallow+unsafe_image_file_paths.patch.
(Closes: #1104964).
* Add qemu-utils as build-depends because of tests from CVE-2025-44021 fix.
* CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature. Add upstream
patch validate_molds_url_against_swift_in_keystone_catalog.patch.
(Closes: #1135898).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
Checksums-Sha1:
f577021f779ba187c53e7587c55d661d75b4c4e9 4074 ironic_21.1.0-3+deb12u1.dsc
214c2f489e716104c829d4b79ee86f171cc1da5e 1505820 ironic_21.1.0.orig.tar.xz
b49b8622e3c5b100f5711f02a3ea92e818f64a5d 25548 ironic_21.1.0-3+deb12u1.debian.tar.xz
f662a9e9f7a53da0547451e19c6d67126ff4b4a9 23321 ironic_21.1.0-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
5dd1185d9990307275ac3b1e1039685d306b76fc2d1f7396d1d340327e5d1fb5 4074 ironic_21.1.0-3+deb12u1.dsc
f1440eb42de5619799844a57b243173fe933b5617d9dc35105c203e85bb5630b 1505820 ironic_21.1.0.orig.tar.xz
52eccb0a97e8a1f631480efab41c0d689904786b8db0e144e9c26daabe00119e 25548 ironic_21.1.0-3+deb12u1.debian.tar.xz
1fb772ee844d62d3396ced6f12b977f0d0950dafff608d65bc20cd142e2f9ebe 23321 ironic_21.1.0-3+deb12u1_amd64.buildinfo
Files:
450d600d31f7a9088633215d0520c481 4074 net optional ironic_21.1.0-3+deb12u1.dsc
f6f9a3db7286ed06e564f6c7fe0643ba 1505820 net optional ironic_21.1.0.orig.tar.xz
81fd7e3ef8fd7e196b567c8dab1eebde 25548 net optional ironic_21.1.0-3+deb12u1.debian.tar.xz
e7e06518666492caf16df597cdf0f844 23321 net optional ironic_21.1.0-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoMEkIACgkQ1BatFaxr
Q/7lCA/9Htfvp8BmzviZuSKSPRtE8myylEWyt90k7Ep81Ux/DwDUawRjlAgRf75A
7afcGbMGsawTw607VeW1faeqgPe2NWZhdhwZWF03Z/K1gMSrVk8T2JiGx5PpX6Jk
4Zg7EmycJlIUy3Mv0oJqoD/PkwzhYUmlbQYzR2BSadImTPzMpjOp3TWjLMwqpx2q
uG8m0wk6hWMx+Ff0fNoVQoT8xKTPuHHfUCbT/Fov1OFEm6sfS5/5QAU/njPO2+8Y
knNnp5jF8wBeEFS8BvpPyM6VGBmk2+HtqFLgNCO2sRWw5uRWGSVBFgA7TXkWF08L
uhfCh2pswhd5md+ooffyyRMk8EtBJ4Z6g6oKUAVF+frJM4fqn0Fb9hSDZot+LRKF
egbsfC/Q46hrn7pPw0l0PcdYLcA+Yy11ZI+Xa3I/oyBdWVU7JHrmDFtwsQY+6qI1
QGaUUtj33Wb3ptXD20OzfHDXV/hPPqRCrbGtKfpM7sRA/cP5XskLUmUd7hW6uuY+
aPcEbz4zLbuP2E4lPIU6PwONwrHYyjTfdTRktQufcGRQ8S5IOhy/2i91+ArRb/EZ
lSGBjmFdQZmYRA7cxb7t+Gar124kpF8HiSWr01Mw9FSEkcOYBG7Dt6lIrigQX4aI
vHAizEn1WVdNeduYTJNN1/5sgYHiWYsgmLDzPUsZD+OS0ycK4xw=
=biG9
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ironic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 30 Apr 2026 10:05:36 +0200
Source: ironic
Architecture: source
Version: 1:29.0.5-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135255 1135898 1136005 1136655
Changes:
ironic (1:29.0.5-0+deb13u1) trixie; urgency=medium
.
* New upstream release. Include fix for:
- CVE-2026-42997 / OSSA-2026-010: Credential Forwarding to Arbitrary
Endpoints via Ironic’s idrac Configuration molds Feature
(Closes: #1135898).
- CVE-2026-42510 / OSSA-2026-008: Command Injection in Ironic IPMI Console
Implementations. Applied upstream patch: "Shell-quote console command
passed to socat" (Closes: #1135255).
* CVE-2026-44916: instance_info['ks_template'] is rendered without
sandboxing. An attacker with sufficient access, an ironic deployment with
the anaconda deploy interface, a node with the anaconda deployment
interface set by an admin, and a malicious template could result in
conductor internal data being rendered and if the infrastucture operator is
allowing traffic egress for the provisioning network, could have sensitive
internal data exfiled out of the environment. Applied upstream patch:
- CVE-2026-44916_Use_sandbox_rendering_for_jinja2.patch
(Closes: #1136005).
* CVE-2026-44919: during image handling, an infinite loop in checksum
calculations can occur via the file:///dev/zero URL. Add upstream patch:
move_file_url_validation_up_into_deploy_utils_main_path.patch.
(Closes: #1136655).
Checksums-Sha1:
f65f99602c674b7ebd32fe2518d337125ddf9ac9 4096 ironic_29.0.5-0+deb13u1.dsc
b6b17bf8a174467edda78a62b7136c12b4058129 1892376 ironic_29.0.5.orig.tar.xz
861b413f51470c7d74634caf45856415b4348d4c 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz
d659e18399d1047fd4d9e710c3e4e8543f0e36e6 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
db41efc3a56d46d30abbbdbcb0c3424d7be6b84ff4839dc5d12978bae5c1030e 4096 ironic_29.0.5-0+deb13u1.dsc
8381a472d7d79dc798a74917bf1cb8eb7795916d952643b64c7f5dc50532e6d9 1892376 ironic_29.0.5.orig.tar.xz
570f08844d5d290994de3ec8fb305929b775ca93d8e02e97dcdfe692b5f6426b 22568 ironic_29.0.5-0+deb13u1.debian.tar.xz
00c8cb0d608501df1bd92e3ae41d64ee106a8c497bbde80c8ed939c3952477df 22929 ironic_29.0.5-0+deb13u1_amd64.buildinfo
Files:
a0094d72c1e6774be76d420cdfca3b6a 4096 net optional ironic_29.0.5-0+deb13u1.dsc
52695995363316a16620272afa449301 1892376 net optional ironic_29.0.5.orig.tar.xz
8182b8b4dcffe3746e649c1d8b3c7582 22568 net optional ironic_29.0.5-0+deb13u1.debian.tar.xz
db660613cdbcfd1134084b10a355ebeb 22929 net optional ironic_29.0.5-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoVV2cACgkQ1BatFaxr
Q/6nUA//Xdu2gqc4jpV2dlyBqxxcBaTUZOSt1SBBuLCUlGEJnE0xyoEsA8ZzqX7R
2nhQ77Babl6MAKtivMttpTbwWKNdPBobaL6UFQziCVhR892PkAy0Q0h3TNPwmHhi
nRkpJkVWdlyKHh7xW6qk2JQu4RHe/vgfQHeUlrUDINmOIv4162bBUOqROo68laj1
xGvJIw76Pf1V4+r+j8q2qwwAAvvmgv6JNOAZNZ44XN4Kb8mW0ulr4i1lCP0LYHWP
bByqojUVRMXFPdF6zVloIycL3eO5A2uGHkY6RqiPO4Xam0kZIoawTwg4pgyqT6Hm
82/GApymfgsHRqxo5wdUTIhIcfNi41LgOVlp44X8LcdaVqVDK+7RYEdF6lqlfEl0
LiAOQ5xvDBOZmPfDZeenBbEXnZvDEIqLtn1FgehZEQp1pi/07dXohzssdelrs3HU
4qxp8l/TpoCDgdLSNKR7PLqwpfCBUMt0uhGMXClQxPS34lDekFGlr5MMU6l6jS6l
pQOCP5Op96gIPYgAADBQJDqokKg7yBPv0qrmg4KvjDhLTz/X1z+TpuNdq1IbBba5
oECtyueUgtkYJ1hZRDUbB/Em+2G2q2j9gBmLylexzUaROMG5m36htLUlOBjwopVv
fc/aJDB7+c/H2p/IN0DZG6fU0/AtwGfH5iZGdtBMbHo4E1lNT7Q=
=ZJRr
-----END PGP SIGNATURE-----