Bug 916767 (CVE-2013-1793) - CVE-2013-1793 openstack-utils: openstack-db insecure password creation for services
Summary: CVE-2013-1793 openstack-utils: openstack-db insecure password creation for se...
Alias: CVE-2013-1793
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 916769 916770
TreeView+ depends on / blocked
Reported: 2013-02-28 20:59 UTC by Kurt Seifried
Modified: 2019-09-29 13:01 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-17 06:05:07 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2013-02-28 20:59:00 UTC
Steve Gordon (sgordon) reports:

The openstack-db program (a bash script which is part of the openstack-utils 

Set up a local database (MySQL) for use with openstack-<service>. 
This script will create a '<service>' database that is accessible 
only on localhost by user '<service>' with password '<service>'.
The setup of a database with a multi-server OpenStack installation
is outside of the scope of this simple helper script.

This is not well documented in the install instructions and only mentioned 
within thmanual page for openstack-db or if it is invoked with the --help | -h
option. The program supports a --password | -p option to set a password during
installation however this is not mentioned. So by default installations will 
have multiple accounts created in MySQL with the username and password set to
"service name", this list includes "keystone", "glance", "cinder" and "nova".

Suggested fix: force usage of --password | -p, or generate a secure random 
password and use that instead of the service name if no password is specified.

We also need to document this better in the installation guide and explicitly 
state what is going on.

The affected code is:


and then later on an SQL statement is created:


External references:

Comment 2 Kurt Seifried 2014-03-13 05:51:03 UTC
So his is still an issue, all the docs show adding a password at the command line (which is actually less than ideal, it'll be stored in your command line history/shown in ps), I would suggest we add a prompt for password if not password is entered, rather than randomly generating one by default.

Comment 3 Pádraig Brady 2014-07-15 13:17:14 UTC
Yes openstack-db --init will set password to the service name.
That aligns with the upstream default of using a password = the service name.

However this script is mainly useful for developers, and --init is
not documented for end users.

It's not really an option at present to remove this script, as
it's been documented recently in the upgrade process:

So I'd be 60:40 for leaving the script as is for now,
seeing as it's not end user impacting.

Comment 4 Pádraig Brady 2014-07-16 09:19:40 UTC
Also the option of setting a random password for --init is possible.

But I'd be 60:40 for leaving the script as is for now,
seeing as it's not end user impacting.

Comment 5 Garth Mollett 2014-07-17 06:05:07 UTC
Ok, I'm going to close this as wontfix. Given the current state of this program and the user impact in the current releases (ie. none), if we do decide to change the behavior or remove this script in the future I am happy to call it hardening.

Note You need to log in before you can comment on or make changes to this bug.