Default container user's password is hardcoded
Bug #1437054 reported by
Jimmy McCrory
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Critical
|
Kevin Carter | ||
Icehouse |
Fix Released
|
Critical
|
Kevin Carter | ||
Juno |
Fix Released
|
Critical
|
Kevin Carter | ||
Kilo |
Fix Released
|
Critical
|
Kevin Carter | ||
Trunk |
Fix Released
|
Critical
|
Kevin Carter |
Bug Description
The ubuntu user password within each container is exposed through the LXC template and is currently hardcoded.
The security concern is that an unprivileged user on a host server would be able to ssh and login to any of the OpenStack containers and become root since the ubuntu user is a member of the sudo group.
We've worked around this in our deployments by creating in a new task which generates and registers a random password, and passing that to the template_options of the Create container task.
CVE References
Changed in openstack-ansible: | |
importance: | Undecided → Critical |
assignee: | nobody → Kevin Carter (kevin-carter) |
information type: | Private Security → Public Security |
To post a comment you must log in.
Thanks for reporting this Jimmy! We'll work on a patch on our end and post it here soon so you can review it and make sure it works for you.