Описание
The puppet manifests in the Red Hat openstack-puppet-modules package before 2014.2.13-2 uses a default password of CHANGEME for the pcsd daemon, which allows remote attackers to execute arbitrary shell commands via unspecified vectors.
It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root.
Отчет
Red Hat Product Security has rated this issue as having Important security impact, a future update will address the flaw. As a mitigation against this issue, any system deployed using the affected component should have the 'hacluster' password changed before being placed into production or on an untrusted network. An article with more detailed information is available to customers here: https://access.redhat.com/articles/1396123
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenStack Platform 4 | openstack-foreman-installer | Affected | ||
| Red Hat OpenStack Platform 4 | openstack-puppet-modules | Affected | ||
| OpenStack Foreman for RHEL 6 | augeas | Fixed | RHSA-2015:0830 | 16.04.2015 |
| OpenStack Foreman for RHEL 6 | openstack-foreman-installer | Fixed | RHSA-2015:0830 | 16.04.2015 |
| OpenStack Foreman for RHEL 6 | openstack-puppet-modules | Fixed | RHSA-2015:0830 | 16.04.2015 |
| OpenStack Foreman for RHEL 6 | rhel-osp-installer | Fixed | RHSA-2015:0830 | 16.04.2015 |
| OpenStack Foreman for RHEL 6 | ruby193-rubygem-staypuft | Fixed | RHSA-2015:0830 | 16.04.2015 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | openstack-packstack | Fixed | RHSA-2015:0832 | 16.04.2015 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | openstack-puppet-modules | Fixed | RHSA-2015:0832 | 16.04.2015 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 | openstack-packstack | Fixed | RHSA-2015:0831 | 16.04.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.3 Critical
CVSS2
Связанные уязвимости
The puppet manifests in the Red Hat openstack-puppet-modules package before 2014.2.13-2 uses a default password of CHANGEME for the pcsd daemon, which allows remote attackers to execute arbitrary shell commands via unspecified vectors.
The puppet manifests in the Red Hat openstack-puppet-modules package before 2014.2.13-2 uses a default password of CHANGEME for the pcsd daemon, which allows remote attackers to execute arbitrary shell commands via unspecified vectors.
Уязвимость платформы облачных сервисов Openstack, позволяющая нарушителю выполнить произвольные команды
EPSS
9.3 Critical
CVSS2