Bug 916767 (CVE-2013-1793)
Summary: | CVE-2013-1793 openstack-utils: openstack-db insecure password creation for services | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aortega, apevec, ayoung, breeler, chrisw, cpelland, gkotton, gmollett, iheim, lhh, markmc, pbrady, rbryant, sclewis, security-response-team, sgordon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-07-17 06:05:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 916769, 916770 |
Description
Kurt Seifried
2013-02-28 20:59:00 UTC
So his is still an issue, all the docs show adding a password at the command line (which is actually less than ideal, it'll be stored in your command line history/shown in ps), I would suggest we add a prompt for password if not password is entered, rather than randomly generating one by default. Yes openstack-db --init will set password to the service name. That aligns with the upstream default of using a password = the service name. However this script is mainly useful for developers, and --init is not documented for end users. It's not really an option at present to remove this script, as it's been documented recently in the upgrade process: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Release_Notes/section_atomic-offline-upgrade.html So I'd be 60:40 for leaving the script as is for now, seeing as it's not end user impacting. Also the option of setting a random password for --init is possible. But I'd be 60:40 for leaving the script as is for now, seeing as it's not end user impacting. Ok, I'm going to close this as wontfix. Given the current state of this program and the user impact in the current releases (ie. none), if we do decide to change the behavior or remove this script in the future I am happy to call it hardening. |