Open Stack

Thanks Sean. I am sufficiently convinced that there's no risk in
switching this to public, at the very least. I'm setting the OSSA task
to invalid as well, though that is easily reversible if for some reason
we find out there is some action we need to take (however unlikely).

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1639032

Title:
  Hardcoded password sent plaintext

Status in Cinder:
  Invalid
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  In cinder/volume/drivers/nexenta/utils.py:103 there is a hardcoded
  password. This password is then used in
  cinder/volume/drivers/nexenta/iscsi.py and
  cinder/volume/drivers/nexenta/nfs.py.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1639032/+subscriptions