Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1063188

Summary: Just provide confirm password for admin can be succeed
Product: Red Hat Enterprise Virtualization Manager Reporter: wanghui <huiwa>
Component: ovirt-nodeAssignee: Fabian Deutsch <fdeutsch>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 3.5.0CC: bsarathy, cpelland, cshao, ecohen, fdeutsch, gklein, gouyang, hadong, iheim, jboggs, leiwang, ovirt-maint, pmatouse, rbalakri, sfolkwil, yaniwang, ycui
Target Milestone: ---Keywords: Regression, Security, ZStream
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: node
Fixed In Version: ovirt-node-3.0.1-18.el6.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-11 20:52:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1065425, 1072455, 1123329, 1142923, 1156165    

Description wanghui 2014-02-10 09:03:12 UTC 
Description of problem:
It will re-set the admin password if you only provide confirm password. And it will result the admin can login without provide password.

It also trigger to disable CIM when just provide confirm password without enable CIM.

Version-Release number of selected component (if applicable):
rhevh-6.5-20140120.0
ovirt-node-3.0.1-18.el6_5.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install rhevh-6.5-20140120.0.
2. Re-set admin password as follows.
   Password:          __________
   Confirm Password:  redhat
3. Logout and login with admin
4. Configure CIM as follows.
   Enable CIM     []
    CIM password
   Password:          __________
   Confirm Password:  redhat

Actual results:
1. After step2, it will prompt that all changes were applied successfully.
2. After step3, it will not require admin password and login directly.
3. After step4, it will prompt that all changes were applied successfully.

Expected results:
1. It should not allow just provide confirm password to change the admin password or trigger to configure CIM.

Additional info:
Comment 2 wanghui 2014-02-11 08:33:54 UTC 
No such issue in RHEV-H 6.4-20131003.0.el6. So this issue should be a regression bug.
Comment 3 Ying Cui 2014-02-11 09:20:27 UTC 
Hi Fabian,
   This bug is regression bug, can we try to fix it asap(6.5update2)?

Thanks
Ying
Comment 4 haiyang,dong 2014-02-11 09:45:46 UTC 
Add elif statement to check password == "" and confirmation != ""
http://gerrit.ovirt.org/#/c/24308/
Comment 5 haiyang,dong 2014-02-11 12:24:33 UTC 
Using jenkins build :
http://jenkins.ovirt.org/job/node-devel/1438/distro=centos64/artifact/ovirt-node-iso-3.1.0-0.999.1438.el6.iso

to test follow:
For admin password and CIM password,
(a)if you only provide confirm password, it will prompt "Please Check Password Entry" and disable "Save" button.
(b)if you only provide password, it will prompt "Please Check Confirm Password Entry" and disable "Save" button.
Comment 7 Murray McAllister 2014-02-20 02:21:18 UTC 
Thanks for your report! I am not sure if we need to treat this as a security issue as I assume you need to know the administrator password to get to the password reset functionality in the first place.

I am going to see if Petr Matousek, the security response team's RHEV expert, can take a quick look.

Thanks,

--
Murray McAllister / Red Hat Security Response Team
Comment 8 Fabian Deutsch 2014-02-21 08:28:43 UTC 
Hey Murray,

I already reached out to Petr and this is no security issue.

I guess I was using the Security keyword incorrectly. Until now I thought that it was used to "tag" possible security related bugs, but it seems that this will also automatically pull someone in from the SRT, is that correct?
Comment 9 Murray McAllister 2014-02-26 03:25:00 UTC 
I believe you are using it correctly. I should have checked with Petr first before asking in the bug.

And yes, SRT will be notified when a bug is tagged with the security keyword, but please continue to use it if you have possible security related bugs.

Sorry for all the noises!
Comment 13 wanghui 2014-12-17 06:18:23 UTC 
Test Version:
rhev-hypervisor6-6.6-20141212.0
ovirt-node-3.1.0-0.34.20141210git0c9c493.el6.noarch

Steps to Reproduce:
1. Install rhev-hypervisor6-6.6-20141212.0.
2. Re-set admin password as follows.
   Password:          __________
   Confirm Password:  redhat
3. Configure CIM as follows.
   Enable CIM     []
    CIM password
   Password:          __________
   Confirm Password:  redhat

Actual results:
1. After step2, it can not click save button.
3. After step3, it can not click save button.

So this issue is fixed in rhev-hypervisor6-6.6-20141212.0 now. Change the status from ON_QA to Verified.
Comment 14 wanghui 2014-12-17 06:22:10 UTC 
And also no such issue in rhev-hypervisor7-7.0-20141212.0.
Comment 16 errata-xmlrpc 2015-02-11 20:52:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0160.html