[Openstack-security] [Bug 1785529] Re: Hard-coded passwords found in Puppet scripts

Adam Heczko aheczko at mirantis.com
Mon Aug 6 00:16:11 UTC 2018 

Hi Akond,
I appreciate your research.
Fuel library is no longer maintained project and was deprecated in 2017. As deprecated project is is unlikely that Fuel library receive any further updates from the OpenStack community.

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1785529

Title:
  Hard-coded passwords found in Puppet scripts

Status in Fuel for OpenStack:
  New

Bug description:
  Detailed bug description:

  I am a security researcher, who is looking for security smells in Puppet scripts.
  I noticed instances of hard-coded passwords, which are against the best practices
  recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.

  Feedback is welcome.

  
  I noticed hard-coded passwords in the following scripts: 

  fuel-library/deployment/puppet/fuel/examples/host.pp
  fuel-library/deployment/puppet/fuel/manifests/params.pp
  fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic_compute.pp
  fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
  fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
  fuel-library/deployment/puppet/openstack/manifests/cinder.pp
  fuel-library/deployment/puppet/openstack/manifests/network/neutron_agents.pp
  fuel-library/deployment/puppet/openstack/tests/all.pp
  fuel-library/deployment/puppet/osnailyfacter/manifests/ssh.pp
  fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/common.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/gbp_and_apic_gbp.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/generic_apic_ml2.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_apic.pp
  fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_auth.pp
  fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
  fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
  fuel-plugin-external-zabbix/deployment_scripts/puppet/modules/plugin_zabbix/manifests/db/mysql.pp
  fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-compute.pp
  fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/cgi.pp
  fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/params.pp
  fuel-plugin-scaleio/deployment_scripts/puppet/manifests/cinder.pp

  
  Impact:
  Hard-coded passwords in source code files is a bad practice

To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1785529/+subscriptions

More information about the Openstack-security mailing list