[Openstack-security] [Bug 1785529] [NEW] Hard-coded passwords found in Puppet scripts

Akond Rahman 1785529 at bugs.launchpad.net
Sun Aug 5 22:58:52 UTC 2018 

Public bug reported:

Detailed bug description:

I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.

Feedback is welcome.


I noticed hard-coded passwords in the following scripts: 

fuel-library/deployment/puppet/fuel/examples/host.pp
fuel-library/deployment/puppet/fuel/manifests/params.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic_compute.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
fuel-library/deployment/puppet/openstack/manifests/cinder.pp
fuel-library/deployment/puppet/openstack/manifests/network/neutron_agents.pp
fuel-library/deployment/puppet/openstack/tests/all.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/ssh.pp
fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/common.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/gbp_and_apic_gbp.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/generic_apic_ml2.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_apic.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_auth.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
fuel-plugin-external-zabbix/deployment_scripts/puppet/modules/plugin_zabbix/manifests/db/mysql.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-compute.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/cgi.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/params.pp
fuel-plugin-scaleio/deployment_scripts/puppet/manifests/cinder.pp


Impact:
Hard-coded passwords in source code files is a bad practice

** Affects: fuel
     Importance: Undecided
         Status: New


** Tags: security smells

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1785529

Title:
  Hard-coded passwords found in Puppet scripts

Status in Fuel for OpenStack:
  New

Bug description:
  Detailed bug description:

  I am a security researcher, who is looking for security smells in Puppet scripts.
  I noticed instances of hard-coded passwords, which are against the best practices
  recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.

  Feedback is welcome.

  
  I noticed hard-coded passwords in the following scripts: 

  fuel-library/deployment/puppet/fuel/examples/host.pp
  fuel-library/deployment/puppet/fuel/manifests/params.pp
  fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic_compute.pp
  fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
  fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
  fuel-library/deployment/puppet/openstack/manifests/cinder.pp
  fuel-library/deployment/puppet/openstack/manifests/network/neutron_agents.pp
  fuel-library/deployment/puppet/openstack/tests/all.pp
  fuel-library/deployment/puppet/osnailyfacter/manifests/ssh.pp
  fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/common.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/gbp_and_apic_gbp.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/generic_apic_ml2.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_apic.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_auth.pp
  fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
  fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
  fuel-plugin-external-zabbix/deployment_scripts/puppet/modules/plugin_zabbix/manifests/db/mysql.pp
  fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-compute.pp
  fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/cgi.pp
  fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/params.pp
  fuel-plugin-scaleio/deployment_scripts/puppet/manifests/cinder.pp

  
  Impact:
  Hard-coded passwords in source code files is a bad practice

To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1785529/+subscriptions

More information about the Openstack-security mailing list