Bug 872487 (CVE-2012-4574) - CVE-2012-4574 pulp /etc/pulp/pulp.conf world readable, contains default admin password
Summary: CVE-2012-4574 pulp /etc/pulp/pulp.conf world readable, contains default admin...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4574
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 798435 872488
Blocks: 836071 852201
TreeView+ depends on / blocked
 
Reported: 2012-11-02 07:54 UTC by Kurt Seifried
Modified: 2021-02-17 08:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-25 06:36:05 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1543 0 normal SHIPPED_LIVE Important: CloudForms System Engine 1.1 update 2012-12-05 00:39:57 UTC

Description Kurt Seifried 2012-11-02 07:54:34 UTC
During an audit of file permissions within CloudForms it was found that the 
/etc/pulp/pulp.conf is world readable. This file can contain the following 
sensitive information:

# default_password: default password for admin
# Highly recommend changing the default_password with "pulp-admin user update"
#
[server]
...
default_login: admin 
default_password: CVkiDB/JKHhHp7+PlkfaqizG
...
oauth_key: katello
oauth_secret: zH9ZXu6JhDwlx9GjshbFaa0Q

This file should not be world readable, it should only be readable by the 
user/group that pulp runs as.

Comment 3 Vincent Danen 2012-11-30 22:50:19 UTC
Acknowledgements:

This issue was discovered by Kurt Seifried of the Red Hat Security Response Team.

Comment 4 errata-xmlrpc 2012-12-04 19:57:45 UTC
This issue has been addressed in following products:

  CloudForms for RHEL 6
  CloudForms Tools for RHEL 5

Via RHSA-2012:1543 https://rhn.redhat.com/errata/RHSA-2012-1543.html


Note You need to log in before you can comment on or make changes to this bug.