Bug 1201875 (CVE-2015-1842)

Summary: CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password
Product: [Other] Security Response Reporter: Fabio Olive Leite <fleite>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, avozza, ayoung, cfeist, chrisw, cluster-maint, dallan, fleite, gkotton, gmollett, ichavero, jguiditt, jpokorny, jrusnack, lhh, lpeer, markmc, mburns, morazi, rbryant, rhos-maint, sclewis, tojeline, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-24 06:16:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1201884, 1206971, 1206972, 1206973, 1206974, 1206975, 1206976, 1207493, 1207494, 1207495, 1207899    
Bug Blocks: 1201881    

Description Fabio Olive Leite 2015-03-13 17:29:54 UTC 
It was discovered that openstack-puppet-modules as used by the Red Hat Enterprise Linux OpenStack Platform Installers would always use the default password of "CHANGEME" when deploying pcsd in HA environments.
Comment 1 Fabio Olive Leite 2015-03-13 17:43:35 UTC 
Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1201884]
Comment 2 Garth Mollett 2015-03-30 01:14:47 UTC 
*** Bug 1200322 has been marked as a duplicate of this bug. ***
Comment 3 Ivan Chavero 2015-03-30 20:56:47 UTC 
The password in the module [1] is just a default that is should to be set by the puppet manifest (for example staypuft manifests) that uses the module.

For example:

class{ 'pacemaker':
  hacluster_pwd => 'newpassord'
}


Is there anything that you think it should be done at this level?


[1] https://github.com/redhat-openstack/puppet-pacemaker/blob/master/manifests/params.pp#L3
Comment 4 Ivan Chavero 2015-03-30 22:55:19 UTC 
the version of pacemaker we're currently using always use the default password, we have to bump the pacemaker module to this commit: https://github.com/radez/puppet-pacemaker/blob/5d91343c80f65b64be604f4a61558ff408c0f863/manifests/corosync.pp#L56
Comment 5 Garth Mollett 2015-03-31 02:41:04 UTC 
(In reply to Ivan Chavero from comment #4)
> the version of pacemaker we're currently using always use the default
> password, we have to bump the pacemaker module to this commit:
> https://github.com/radez/puppet-pacemaker/blob/
> 5d91343c80f65b64be604f4a61558ff408c0f863/manifests/corosync.pp#L56

Thanks Ivan. Please leave this bug as NEW and work in the product specific trackers.
Comment 9 Garth Mollett 2015-03-31 04:57:21 UTC 
Acknowledgements:

This issue was discovered by Alessandro Vozza of Red Hat.
Comment 10 Garth Mollett 2015-04-07 07:14:07 UTC 
Statement:

Red Hat Product Security has rated this issue as having Important security impact, a future update will address the flaw.

As a mitigation against this issue, any system deployed using the affected component should have the 'hacluster' password changed before being placed into production or on an untrusted network.

An article with more detailed information is available to customers here:
https://access.redhat.com/articles/1396123
Comment 11 errata-xmlrpc 2015-04-07 15:08:58 UTC 
This issue has been addressed in the following products:

  Openstack 6 Installer for RHEL 7

Via RHSA-2015:0791 https://rhn.redhat.com/errata/RHSA-2015-0791.html
Comment 12 errata-xmlrpc 2015-04-07 15:11:14 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0789 https://rhn.redhat.com/errata/RHSA-2015-0789.html
Comment 13 errata-xmlrpc 2015-04-16 13:29:03 UTC 
This issue has been addressed in the following products:

  OpenStack Foreman for RHEL 6

Via RHSA-2015:0830 https://rhn.redhat.com/errata/RHSA-2015-0830.html
Comment 14 errata-xmlrpc 2015-04-16 14:01:49 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0832 https://rhn.redhat.com/errata/RHSA-2015-0832.html
Comment 15 errata-xmlrpc 2015-04-16 14:03:03 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0831 https://rhn.redhat.com/errata/RHSA-2015-0831.html