Red Hat Bugzilla – Bug 873120
CVE-2012-5474 OpenStack: Dashboard /etc/openstack-dashboard/local_settings secret key exposure
Last modified: 2016-04-27 01:18:27 EDT
Within the OpenStack dashboard package (specifically openstack-dashboard) the
file /etc/openstack-dashboard/local_settings is world readable and contains:
# Note: You should change this value
SECRET_KEY = 'elj1IWiLoWHgcyYxFVLj7cM5rGOOxWl0'
Also as a note the same value is contained within:
This file needs to be read by the web server (apache HTTPD), so a reasonable
file configuration would be to set the file as owned by the root user and the
apache group with file mode 0640.
As I understand it this value is no longer used in the Folsom release of
Created python-django-horizon tracking bugs for this issue
Affects: epel-6 [bug 876291]
python-keystoneclient-0.1.3.27-1.el6, python-glanceclient-0.5.1-1.el6, python-websockify-0.2.0-1.el6, novnc-0.4-2.el6, python-prettytable-0.6.1-1.el6, openstack-quantum-2012.2-2.el6, python-quantumclient-2.1.1-0.el6, python-cinderclient-0.2.26-1.el6, python-novaclient-2.9.0-1.el6, python-django-openstack-auth-1.0.2-3.el6, openstack-nova-2012.2-2.el6, openstack-cinder-2012.2-3.el6, openstack-utils-2012.2-6.el6, openstack-glance-2012.2-3.el6, python-django-horizon-2012.2-4.el6, openstack-keystone-2012.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
python-django-horizon-2012.2-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue was discovered by Kurt Seifried of Red Hat Security Response Team.