Bug 1281777 (CVE-2015-5329) - CVE-2015-5329 openstack-tripleo-heat-templates: Using hardcoded rabbitmq credentials regardless of supplied values
Summary: CVE-2015-5329 openstack-tripleo-heat-templates: Using hardcoded rabbitmq cred...
Alias: CVE-2015-5329
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1261303 1286896 1291493
Blocks: 1279654
TreeView+ depends on / blocked
Reported: 2015-11-13 12:36 UTC by Adam Mariš
Modified: 2023-05-12 14:30 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the director (openstack-tripleo-heat-templates) where the RabbitMQ credentials defaulted to guest/guest and supplied values in the configuration were not used. As a result, all deployed overclouds used the same credentials (guest/guest). A remote non-authenticated attacker could use this flaw to access RabbitMQ services in the deployed cloud.
Clone Of:
Last Closed: 2016-01-12 00:47:35 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2650 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update 2015-12-21 21:44:54 UTC

Description Adam Mariš 2015-11-13 12:36:46 UTC
A vulnerability in openstack-tripleo-heat-templates was found, which regardless of supplied values for credentials uses hardcoded rabbitmq credentails to guest/guest account. In the documentation users are strongly encouraged to change the default values for credentials, however changing these values using our instructions does not correctly set the values in the rabbitmq config.

Comment 1 Garth Mollett 2015-11-16 03:31:06 UTC

Red Hat would like to thank Kota Akatsuka of NEC for reporting this issue.

Comment 3 Summer Long 2015-12-15 00:28:04 UTC
Created openstack-tripleo-heat-templates tracking bugs for this issue:

Affects: fedora-all [bug 1291493]

Comment 4 errata-xmlrpc 2015-12-21 16:52:42 UTC
This issue has been addressed in the following products:

  OpenStack 7.0 Director/Manager for RHEL 7

Via RHSA-2015:2650 https://access.redhat.com/errata/RHSA-2015:2650

Note You need to log in before you can comment on or make changes to this bug.