CVE-2015-1842
It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root.
Find out more about CVE-2015-1842 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat Product Security has rated this issue as having Important security impact, a future update will address the flaw.
As a mitigation against this issue, any system deployed using the affected component should have the 'hacluster' password changed before being placed into production or on an untrusted network.
An article with more detailed information is available to customers here:
https://access.redhat.com/articles/1396123
CVSS v2 metrics
| Base Score | 9.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Complete |
| Integrity Impact | Complete |
| Availability Impact | Complete |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 (openstack-puppet-modules) | RHSA-2015:0789 | 2015-04-07 |
| OpenStack 6 Installer for RHEL 7 | RHSA-2015:0791 | 2015-04-07 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 (openstack-puppet-modules) | RHSA-2015:0832 | 2015-04-16 |
| OpenStack Foreman | RHSA-2015:0830 | 2015-04-16 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 (openstack-puppet-modules) | RHSA-2015:0831 | 2015-04-16 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 4.0 | openstack-puppet-modules | Affected |
| Red Hat Enterprise Linux OpenStack Platform 4.0 | openstack-foreman-installer | Affected |