openshift.sh has configuration options for this and other auth parameters.

This one in particular has to be the same across all hosts in the deployment, while openshift.sh only installs a single host, so it can't just be randomized if not given (at least, not if we want a decent user experience). Similar for mongo auth and BIND keys.

oo-install has a multi-host install perspective and could usefully randomize these parameters. Currently it doesn't enable doing that, however it's on the intended feature list.

Well, if this is a vulnerability at all, can we be more specific?

What is "the installer" here? We have:

1. Docs for manual install (which do mention substituting a password e.g. https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/Deployment_Guide/index.html#Configuring_MCollective )
2. openshift.sh/.ks, which provides a parameter for changing this default (https://github.com/openshift/openshift-extras/blob/enterprise-2.0/enterprise/install-scripts/generic/openshift.sh#L482 )
3. oo-install, which uses openshift.sh as the actual installer but doesn't modify this default value.

Also, what would resolve this CVE? 

1. Is openshift.sh already "done" because it provides the option?
2. Does oo-install have to give the user an option to set this or can it just make up a scramble and store it in the deployment configuration?

Keep in mind that exactly the same issue exists for all of the user/password/key combinations listed in openshift.sh. I'm not sure why mcollective was singled out.

Beginning with OSE 2.1 the default is to use randomized passwords. Any further need for this bug?

This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html

Created mcollective tracking bugs for this issue:

Affects: fedora-all [bug 1187464]