Bug 1201875 (CVE-2015-1842) - CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password
Summary: CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default pas...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-1842
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1200322 (view as bug list)
Depends On: 1201884 1206971 1206972 1206973 1206974 1206975 1206976 1207493 1207494 1207495 1207899
Blocks: 1201881
TreeView+ depends on / blocked
 
Reported: 2015-03-13 17:29 UTC by Fabio Olive Leite
Modified: 2023-05-12 23:31 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-04-24 06:16:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0789 0 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules security and bug fix update 2015-04-07 19:08:02 UTC
Red Hat Product Errata RHSA-2015:0791 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux OpenStack Platform Installer update 2015-04-07 19:07:29 UTC
Red Hat Product Errata RHSA-2015:0830 0 normal SHIPPED_LIVE Important: openstack-foreman-installer security update 2015-04-16 17:28:39 UTC
Red Hat Product Errata RHSA-2015:0831 0 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules update 2015-04-16 17:53:33 UTC
Red Hat Product Errata RHSA-2015:0832 0 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules update 2015-04-16 17:53:25 UTC

Description Fabio Olive Leite 2015-03-13 17:29:54 UTC 
It was discovered that openstack-puppet-modules as used by the Red Hat Enterprise Linux OpenStack Platform Installers would always use the default password of "CHANGEME" when deploying pcsd in HA environments.
Comment 1 Fabio Olive Leite 2015-03-13 17:43:35 UTC 
Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1201884]
Comment 2 Garth Mollett 2015-03-30 01:14:47 UTC 
*** Bug 1200322 has been marked as a duplicate of this bug. ***
Comment 3 Ivan Chavero 2015-03-30 20:56:47 UTC 
The password in the module [1] is just a default that is should to be set by the puppet manifest (for example staypuft manifests) that uses the module.

For example:

class{ 'pacemaker':
  hacluster_pwd => 'newpassord'
}


Is there anything that you think it should be done at this level?


[1] https://github.com/redhat-openstack/puppet-pacemaker/blob/master/manifests/params.pp#L3
Comment 4 Ivan Chavero 2015-03-30 22:55:19 UTC 
the version of pacemaker we're currently using always use the default password, we have to bump the pacemaker module to this commit: https://github.com/radez/puppet-pacemaker/blob/5d91343c80f65b64be604f4a61558ff408c0f863/manifests/corosync.pp#L56
Comment 5 Garth Mollett 2015-03-31 02:41:04 UTC 
(In reply to Ivan Chavero from comment #4)
> the version of pacemaker we're currently using always use the default
> password, we have to bump the pacemaker module to this commit:
> https://github.com/radez/puppet-pacemaker/blob/
> 5d91343c80f65b64be604f4a61558ff408c0f863/manifests/corosync.pp#L56

Thanks Ivan. Please leave this bug as NEW and work in the product specific trackers.
Comment 9 Garth Mollett 2015-03-31 04:57:21 UTC 
Acknowledgements:

This issue was discovered by Alessandro Vozza of Red Hat.
Comment 10 Garth Mollett 2015-04-07 07:14:07 UTC 
Statement:

Red Hat Product Security has rated this issue as having Important security impact, a future update will address the flaw.

As a mitigation against this issue, any system deployed using the affected component should have the 'hacluster' password changed before being placed into production or on an untrusted network.

An article with more detailed information is available to customers here:
https://access.redhat.com/articles/1396123
Comment 11 errata-xmlrpc 2015-04-07 15:08:58 UTC 
This issue has been addressed in the following products:

  Openstack 6 Installer for RHEL 7

Via RHSA-2015:0791 https://rhn.redhat.com/errata/RHSA-2015-0791.html
Comment 12 errata-xmlrpc 2015-04-07 15:11:14 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0789 https://rhn.redhat.com/errata/RHSA-2015-0789.html
Comment 13 errata-xmlrpc 2015-04-16 13:29:03 UTC 
This issue has been addressed in the following products:

  OpenStack Foreman for RHEL 6

Via RHSA-2015:0830 https://rhn.redhat.com/errata/RHSA-2015-0830.html
Comment 14 errata-xmlrpc 2015-04-16 14:01:49 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0832 https://rhn.redhat.com/errata/RHSA-2015-0832.html
Comment 15 errata-xmlrpc 2015-04-16 14:03:03 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0831 https://rhn.redhat.com/errata/RHSA-2015-0831.html
Note You need to log in before you can comment on or make changes to this bug.