Hard-coded passwords found in Puppet scripts

Bug #1785529 reported by Akond Rahman on 2018-08-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Undecided
Unassigned

Bug Description

Detailed bug description:

I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.

Feedback is welcome.

I noticed hard-coded passwords in the following scripts:

fuel-library/deployment/puppet/fuel/examples/host.pp
fuel-library/deployment/puppet/fuel/manifests/params.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic_compute.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
fuel-library/deployment/puppet/openstack/manifests/cinder.pp
fuel-library/deployment/puppet/openstack/manifests/network/neutron_agents.pp
fuel-library/deployment/puppet/openstack/tests/all.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/ssh.pp
fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/common.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/gbp_and_apic_gbp.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/generic_apic_ml2.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_apic.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_auth.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
fuel-plugin-external-zabbix/deployment_scripts/puppet/modules/plugin_zabbix/manifests/db/mysql.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-compute.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/cgi.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/params.pp
fuel-plugin-scaleio/deployment_scripts/puppet/manifests/cinder.pp

Impact:
Hard-coded passwords in source code files is a bad practice

Adam Heczko (aheczko-mirantis) wrote :

Hi Akond,
I appreciate your research.
Fuel library is no longer maintained project and was deprecated in 2017. As deprecated project is is unlikely that Fuel library receive any further updates from the OpenStack community.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers