Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1201875 - (CVE-2015-1842) CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password
CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default pas...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150310,repo...
: Security
: 1200322 (view as bug list)
Depends On: 1201884 1206971 1206972 1206973 1206974 1206975 1206976 1207493 1207494 1207495 1207899
Blocks: 1201881
  Show dependency treegraph
 
Reported: 2015-03-13 13:29 EDT by Fabio Olive Leite
Modified: 2016-04-26 18:28 EDT (History)
26 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-24 02:16:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0789 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules security and bug fix update 2015-04-07 15:08:02 EDT
Red Hat Product Errata RHSA-2015:0791 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux OpenStack Platform Installer update 2015-04-07 15:07:29 EDT
Red Hat Product Errata RHSA-2015:0830 normal SHIPPED_LIVE Important: openstack-foreman-installer security update 2015-04-16 13:28:39 EDT
Red Hat Product Errata RHSA-2015:0831 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules update 2015-04-16 13:53:33 EDT
Red Hat Product Errata RHSA-2015:0832 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules update 2015-04-16 13:53:25 EDT

  None (edit)
Description Fabio Olive Leite 2015-03-13 13:29:54 EDT 
It was discovered that openstack-puppet-modules as used by the Red Hat Enterprise Linux OpenStack Platform Installers would always use the default password of "CHANGEME" when deploying pcsd in HA environments.
Comment 1 Fabio Olive Leite 2015-03-13 13:43:35 EDT 
Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1201884]
Comment 2 Garth Mollett 2015-03-29 21:14:47 EDT 
*** Bug 1200322 has been marked as a duplicate of this bug. ***
Comment 3 Ivan Chavero 2015-03-30 16:56:47 EDT 
The password in the module [1] is just a default that is should to be set by the puppet manifest (for example staypuft manifests) that uses the module.

For example:

class{ 'pacemaker':
  hacluster_pwd => 'newpassord'
}


Is there anything that you think it should be done at this level?


[1] https://github.com/redhat-openstack/puppet-pacemaker/blob/master/manifests/params.pp#L3
Comment 4 Ivan Chavero 2015-03-30 18:55:19 EDT 
the version of pacemaker we're currently using always use the default password, we have to bump the pacemaker module to this commit: https://github.com/radez/puppet-pacemaker/blob/5d91343c80f65b64be604f4a61558ff408c0f863/manifests/corosync.pp#L56
Comment 5 Garth Mollett 2015-03-30 22:41:04 EDT 
(In reply to Ivan Chavero from comment #4)
> the version of pacemaker we're currently using always use the default
> password, we have to bump the pacemaker module to this commit:
> https://github.com/radez/puppet-pacemaker/blob/
> 5d91343c80f65b64be604f4a61558ff408c0f863/manifests/corosync.pp#L56

Thanks Ivan. Please leave this bug as NEW and work in the product specific trackers.
Comment 9 Garth Mollett 2015-03-31 00:57:21 EDT 
Acknowledgements:

This issue was discovered by Alessandro Vozza of Red Hat.
Comment 10 Garth Mollett 2015-04-07 03:14:07 EDT 
Statement:

Red Hat Product Security has rated this issue as having Important security impact, a future update will address the flaw.

As a mitigation against this issue, any system deployed using the affected component should have the 'hacluster' password changed before being placed into production or on an untrusted network.

An article with more detailed information is available to customers here:
https://access.redhat.com/articles/1396123
Comment 11 errata-xmlrpc 2015-04-07 11:08:58 EDT 
This issue has been addressed in the following products:

  Openstack 6 Installer for RHEL 7

Via RHSA-2015:0791 https://rhn.redhat.com/errata/RHSA-2015-0791.html
Comment 12 errata-xmlrpc 2015-04-07 11:11:14 EDT 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0789 https://rhn.redhat.com/errata/RHSA-2015-0789.html
Comment 13 errata-xmlrpc 2015-04-16 09:29:03 EDT 
This issue has been addressed in the following products:

  OpenStack Foreman for RHEL 6

Via RHSA-2015:0830 https://rhn.redhat.com/errata/RHSA-2015-0830.html
Comment 14 errata-xmlrpc 2015-04-16 10:01:49 EDT 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0832 https://rhn.redhat.com/errata/RHSA-2015-0832.html
Comment 15 errata-xmlrpc 2015-04-16 10:03:03 EDT 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0831 https://rhn.redhat.com/errata/RHSA-2015-0831.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.