Bug 873120 - (CVE-2012-5474) CVE-2012-5474 OpenStack: Dashboard /etc/openstack-dashboard/local_settings secret key exposure
CVE-2012-5474 OpenStack: Dashboard /etc/openstack-dashboard/local_settings se...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 873121 873440 876291
Blocks: 836072 873487
  Show dependency treegraph
Reported: 2012-11-05 03:03 EST by Kurt Seifried
Modified: 2016-04-27 01:18 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-14 04:10:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-11-05 03:03:48 EST
Within the OpenStack dashboard package (specifically openstack-dashboard) the 
file /etc/openstack-dashboard/local_settings is world readable and contains:

# Note: You should change this value
SECRET_KEY = 'elj1IWiLoWHgcyYxFVLj7cM5rGOOxWl0'

Also as a note the same value is contained within:

This file needs to be read by the web server (apache HTTPD), so a reasonable
file configuration would be to set the file as owned by the root user and the 
apache group with file mode 0640. 

As I understand it this value is no longer used in the Folsom release of 
Comment 1 Kurt Seifried 2012-11-13 13:34:16 EST
Created python-django-horizon tracking bugs for this issue

Affects: epel-6 [bug 876291]
Comment 2 Fedora Update System 2012-11-17 14:50:22 EST
python-keystoneclient-, python-glanceclient-0.5.1-1.el6, python-websockify-0.2.0-1.el6, novnc-0.4-2.el6, python-prettytable-0.6.1-1.el6, openstack-quantum-2012.2-2.el6, python-quantumclient-2.1.1-0.el6, python-cinderclient-0.2.26-1.el6, python-novaclient-2.9.0-1.el6, python-django-openstack-auth-1.0.2-3.el6, openstack-nova-2012.2-2.el6, openstack-cinder-2012.2-3.el6, openstack-utils-2012.2-6.el6, openstack-glance-2012.2-3.el6, python-django-horizon-2012.2-4.el6, openstack-keystone-2012.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2012-11-23 02:39:33 EST
python-django-horizon-2012.2-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Huzaifa S. Sidhpurwala 2012-11-28 01:03:22 EST

This issue was discovered by Kurt Seifried of Red Hat Security Response Team.

Note You need to log in before you can comment on or make changes to this bug.