Hardcoded, weak, potentially unchangeable password in Cloudera plugin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Sahara |
Fix Released
|
Critical
|
Ken Chen |
Bug Description
On this line:
https:/
Since this is a management interface it should be set so that the admin credentials are configurable. As this code doesn't contain any option to specify the username and password I can only assume that they are always set to these values, otherwise this code probably wouldn't work.
Since the code is OpenSource, an attacker has access to any hardcoded credentials such as these. These particular hardcoded credentials are particularly weak as they are the first thing any attacker would guess.
Changed in sahara: | |
milestone: | none → next |
milestone: | next → kilo-3 |
Changed in sahara: | |
milestone: | kilo-3 → kilo-rc1 |
information type: | Private Security → Public Security |
information type: | Public Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in sahara: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
Changed in sahara: | |
assignee: | nobody → Michael McCune (mimccune) |
Changed in sahara: | |
status: | Confirmed → In Progress |
Changed in sahara: | |
assignee: | Michael McCune (mimccune) → Ken Chen (ken-chen-i) |
Changed in sahara: | |
status: | Fix Committed → Fix Released |
Changed in sahara: | |
milestone: | kilo-rc1 → 2015.1.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.