Bug 1086381 (CVE-2014-0175)

Summary: CVE-2014-0175 mcollective: default password set at install
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkeck, jrusnack, kseifried, lmeyer, mmcgrath, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-15 19:44:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1086500, 1086501, 1187464    
Bug Blocks: 1083866    

Description Kurt Seifried 2014-04-10 18:03:41 UTC 
mcollective includes a default username and password:

username: mcollective
password: marionette

The password should be set to a random value or specified during install time.
Comment 1 Luke Meyer 2014-04-10 18:09:41 UTC 
openshift.sh has configuration options for this and other auth parameters.

This one in particular has to be the same across all hosts in the deployment, while openshift.sh only installs a single host, so it can't just be randomized if not given (at least, not if we want a decent user experience). Similar for mongo auth and BIND keys.

oo-install has a multi-host install perspective and could usefully randomize these parameters. Currently it doesn't enable doing that, however it's on the intended feature list.
Comment 4 Luke Meyer 2014-04-15 13:39:05 UTC 
Well, if this is a vulnerability at all, can we be more specific?

What is "the installer" here? We have:

1. Docs for manual install (which do mention substituting a password e.g. https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/Deployment_Guide/index.html#Configuring_MCollective )
2. openshift.sh/.ks, which provides a parameter for changing this default (https://github.com/openshift/openshift-extras/blob/enterprise-2.0/enterprise/install-scripts/generic/openshift.sh#L482 )
3. oo-install, which uses openshift.sh as the actual installer but doesn't modify this default value.

Also, what would resolve this CVE? 

1. Is openshift.sh already "done" because it provides the option?
2. Does oo-install have to give the user an option to set this or can it just make up a scramble and store it in the deployment configuration?

Keep in mind that exactly the same issue exists for all of the user/password/key combinations listed in openshift.sh. I'm not sure why mcollective was singled out.
Comment 5 Luke Meyer 2014-07-08 18:29:04 UTC 
Beginning with OSE 2.1 the default is to use randomized passwords. Any further need for this bug?
Comment 6 Kurt Seifried 2014-07-11 06:01:37 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html
Comment 7 Kurt Seifried 2015-01-30 05:53:30 UTC 
Created mcollective tracking bugs for this issue:

Affects: fedora-all [bug 1187464]