Description of problem: there is a file: (undercloud) [stack@undercloud ~]$ ls -lah /etc/openstack/clouds.yaml -rw-r--r--. 1 root root 582 Aug 22 11:41 /etc/openstack/clouds.yaml which consists plaintext passwords to undercloud and overcloud clouds and it can be read by anyone. it comes from sudo grep -r tripleo_keystone_resources_clouds_file_path /usr/ /usr/share/ansible/roles/tripleo-keystone-resources/defaults/main.yml:tripleo_keystone_resources_clouds_file_path: /etc/openstack/clouds.yaml /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Check if {{ tripleo_keystone_resources_clouds_file_path }} exists" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: path: "{{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Create empty {{ tripleo_keystone_resources_clouds_file_path }} if it does not exist" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: dest: "{{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Configure {{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: tripleo_config_dest: "{{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: tripleo_config_src: "{{ tripleo_keystone_resources_clouds_file_path }}" Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This fix for this one was merged 12 days ago: https://github.com/openstack/tripleo-ansible/commit/97f363ce2eba9942efc443f3bedb454babc3c38e So that patch will be available in a upcoming z-stream
Please use CVE-2022-3146 to track this vulnerability.
Maciej, would you like to be credited on the CVE page (https://access.redhat.com/security/cve/CVE-2022-3146) as discovering this security issue?
yes, sure.
File permission was changed as expected: [stack@undercloud-0 ~]$ ls -lah /etc/openstack/clouds.yaml -rw-------. 1 root root 595 Oct 6 13:45 /etc/openstack/clouds.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenStack Platform (tripleo-ansible) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6969