Director - Default root password set in Overcloud images - CVE-2016-4474

A vulnerability was discovered in overcloud images used by Red Hat OpenStack director to deploy OpenStack environments, where all shipped images have the same default root password.

Background Information

Overcloud images are built by booting a "utility" Red Hat Enterprise Linux image in a virtual machine, and customizing the image for director usage by installing all relevant OpenStack packages. However, the utility image had the following parameter configured, and this parameter was not changed during customization:

rootpw ROOTPW

As a result, all shipped images had the default root password of "ROOTPW".

Take Action

All Red Hat customers with OpenStack environments which were deployed by impacted director versions are strongly recommended to apply mitigations to their systems. Any new deployments should only use the updated Overcloud images. Image versions and recommended mitigations can be found under the Resolve tab.

Red Hat Product Security has rated this update as having a security impact of Important .

All OpenStack systems deployed by the director with these images have the known root passwd of "ROOTPW". If this password was not changed after deployment, an attacker could potentially access and update the system as root.

Because remote root access using SSH is disabled by default, an attacker would require an account on the machine or console access through either the undercloud Compute (this configuration is not supported) or other standard console tools.

To diagnose this vulnerability in your OpenStack environment, see the Resolve tab.

Impacted Products

The following Red Hat Product versions are impacted:

• Red Hat Enterprise Linux Platform 7.0 (Kilo) director
• Red Hat OpenStack Platform 8.0 (Liberty) director