Bug 1281777 (CVE-2015-5329)

Summary: CVE-2015-5329 openstack-tripleo-heat-templates: Using hardcoded rabbitmq credentials regardless of supplied values
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bnemec, chrisw, dallan, gkotton, gmollett, jason.dobies, jjoyce, jrusnack, jschluet, jslagle, kbasil, lhh, lpeer, markmc, mburns, rbryant, sclewis, security-response-team, slinaber, slong, tdecacqu, tsedovic
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the director (openstack-tripleo-heat-templates) where the RabbitMQ credentials defaulted to guest/guest and supplied values in the configuration were not used. As a result, all deployed overclouds used the same credentials (guest/guest). A remote non-authenticated attacker could use this flaw to access RabbitMQ services in the deployed cloud.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-12 00:47:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1261303, 1286896, 1291493    
Bug Blocks: 1279654    

Description Adam Mariš 2015-11-13 12:36:46 UTC 
A vulnerability in openstack-tripleo-heat-templates was found, which regardless of supplied values for credentials uses hardcoded rabbitmq credentails to guest/guest account. In the documentation users are strongly encouraged to change the default values for credentials, however changing these values using our instructions does not correctly set the values in the rabbitmq config.
Comment 1 Garth Mollett 2015-11-16 03:31:06 UTC 
Acknowledgements:

Red Hat would like to thank Kota Akatsuka of NEC for reporting this issue.
Comment 3 Summer Long 2015-12-15 00:28:04 UTC 
Created openstack-tripleo-heat-templates tracking bugs for this issue:

Affects: fedora-all [bug 1291493]
Comment 4 errata-xmlrpc 2015-12-21 16:52:42 UTC 
This issue has been addressed in the following products:

  OpenStack 7.0 Director/Manager for RHEL 7

Via RHSA-2015:2650 https://access.redhat.com/errata/RHSA-2015:2650