Bug 1086381 (CVE-2014-0175) - CVE-2014-0175 mcollective: default password set at install
Summary: CVE-2014-0175 mcollective: default password set at install
Alias: CVE-2014-0175
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1086500 1086501 1187464
Blocks: 1083866
TreeView+ depends on / blocked
Reported: 2014-04-10 18:03 UTC by Kurt Seifried
Modified: 2019-09-29 13:15 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-08-15 19:44:55 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2014-04-10 18:03:41 UTC
mcollective includes a default username and password:

username: mcollective
password: marionette

The password should be set to a random value or specified during install time.

Comment 1 Luke Meyer 2014-04-10 18:09:41 UTC
openshift.sh has configuration options for this and other auth parameters.

This one in particular has to be the same across all hosts in the deployment, while openshift.sh only installs a single host, so it can't just be randomized if not given (at least, not if we want a decent user experience). Similar for mongo auth and BIND keys.

oo-install has a multi-host install perspective and could usefully randomize these parameters. Currently it doesn't enable doing that, however it's on the intended feature list.

Comment 4 Luke Meyer 2014-04-15 13:39:05 UTC
Well, if this is a vulnerability at all, can we be more specific?

What is "the installer" here? We have:

1. Docs for manual install (which do mention substituting a password e.g. https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/Deployment_Guide/index.html#Configuring_MCollective )
2. openshift.sh/.ks, which provides a parameter for changing this default (https://github.com/openshift/openshift-extras/blob/enterprise-2.0/enterprise/install-scripts/generic/openshift.sh#L482 )
3. oo-install, which uses openshift.sh as the actual installer but doesn't modify this default value.

Also, what would resolve this CVE? 

1. Is openshift.sh already "done" because it provides the option?
2. Does oo-install have to give the user an option to set this or can it just make up a scramble and store it in the deployment configuration?

Keep in mind that exactly the same issue exists for all of the user/password/key combinations listed in openshift.sh. I'm not sure why mcollective was singled out.

Comment 5 Luke Meyer 2014-07-08 18:29:04 UTC
Beginning with OSE 2.1 the default is to use randomized passwords. Any further need for this bug?

Comment 6 Kurt Seifried 2014-07-11 06:01:37 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html

Comment 7 Kurt Seifried 2015-01-30 05:53:30 UTC
Created mcollective tracking bugs for this issue:

Affects: fedora-all [bug 1187464]

Note You need to log in before you can comment on or make changes to this bug.