Bug 1086381 – CVE-2014-0175 mcollective: default password set at install

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1086381 - (CVE-2014-0175) CVE-2014-0175 mcollective: default password set at install

Summary:	CVE-2014-0175 mcollective: default password set at install

Status:	CLOSED ERRATA

Aliases:	CVE-2014-0175

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20140710,repo...
Keywords:	Security

Depends On:	1086500 1086501 1187464
Blocks:	1083866
	Show dependency tree / graph

Reported:	2014-04-10 14:03 EDT by Kurt Seifried
Modified:	2015-01-30 00:53 EST (History)
CC List:	11 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-08-15 15:44:55 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kurt Seifried 2014-04-10 14:03:41 EDT

mcollective includes a default username and password:

username: mcollective
password: marionette

The password should be set to a random value or specified during install time.

Comment 1 Luke Meyer 2014-04-10 14:09:41 EDT

openshift.sh has configuration options for this and other auth parameters.

This one in particular has to be the same across all hosts in the deployment, while openshift.sh only installs a single host, so it can't just be randomized if not given (at least, not if we want a decent user experience). Similar for mongo auth and BIND keys.

oo-install has a multi-host install perspective and could usefully randomize these parameters. Currently it doesn't enable doing that, however it's on the intended feature list.

Comment 4 Luke Meyer 2014-04-15 09:39:05 EDT

Well, if this is a vulnerability at all, can we be more specific?

What is "the installer" here? We have:

1. Docs for manual install (which do mention substituting a password e.g. https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/Deployment_Guide/index.html#Configuring_MCollective )
2. openshift.sh/.ks, which provides a parameter for changing this default (https://github.com/openshift/openshift-extras/blob/enterprise-2.0/enterprise/install-scripts/generic/openshift.sh#L482 )
3. oo-install, which uses openshift.sh as the actual installer but doesn't modify this default value.

Also, what would resolve this CVE? 

1. Is openshift.sh already "done" because it provides the option?
2. Does oo-install have to give the user an option to set this or can it just make up a scramble and store it in the deployment configuration?

Keep in mind that exactly the same issue exists for all of the user/password/key combinations listed in openshift.sh. I'm not sure why mcollective was singled out.

Comment 5 Luke Meyer 2014-07-08 14:29:04 EDT

Beginning with OSE 2.1 the default is to use randomized passwords. Any further need for this bug?

Comment 6 Kurt Seifried 2014-07-11 02:01:37 EDT

This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html

Comment 7 Kurt Seifried 2015-01-30 00:53:30 EST

Created mcollective tracking bugs for this issue:

Affects: fedora-all [bug 1187464]

Note You need to log in before you can comment on or make changes to this bug.