Bug 1281777 - (CVE-2015-5329) CVE-2015-5329 openstack-tripleo-heat-templates: Using hardcoded rabbitmq credentials regardless of supplied values
CVE-2015-5329 openstack-tripleo-heat-templates: Using hardcoded rabbitmq cred...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151111,repor...
: Security
Depends On: 1261303 1286896 1291493
Blocks: 1279654
  Show dependency treegraph
 
Reported: 2015-11-13 07:36 EST by Adam Mariš
Modified: 2016-04-26 13:58 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the director (openstack-tripleo-heat-templates) where the RabbitMQ credentials defaulted to guest/guest and supplied values in the configuration were not used. As a result, all deployed overclouds used the same credentials (guest/guest). A remote non-authenticated attacker could use this flaw to access RabbitMQ services in the deployed cloud.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-11 19:47:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-11-13 07:36:46 EST
A vulnerability in openstack-tripleo-heat-templates was found, which regardless of supplied values for credentials uses hardcoded rabbitmq credentails to guest/guest account. In the documentation users are strongly encouraged to change the default values for credentials, however changing these values using our instructions does not correctly set the values in the rabbitmq config.
Comment 1 Garth Mollett 2015-11-15 22:31:06 EST
Acknowledgements:

Red Hat would like to thank Kota Akatsuka of NEC for reporting this issue.
Comment 3 Summer Long 2015-12-14 19:28:04 EST
Created openstack-tripleo-heat-templates tracking bugs for this issue:

Affects: fedora-all [bug 1291493]
Comment 4 errata-xmlrpc 2015-12-21 11:52:42 EST
This issue has been addressed in the following products:

  OpenStack 7.0 Director/Manager for RHEL 7

Via RHSA-2015:2650 https://access.redhat.com/errata/RHSA-2015:2650

Note You need to log in before you can comment on or make changes to this bug.