Date: Thu, 29 May 2014 02:56:42 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > This is to notify the community that Red Hat has fixed CVE-2014-0234 > Installer: OpenShift Enterprise: openshift.sh default password creation. Can you clarify the scope of this CVE? https://bugzilla.redhat.com/show_bug.cgi?id=1097008 says: CVE-2014-0234 OpenShift Enterprise openshift-origin-broker: default password creation The OpenShift Enterprise openshift-origin-broker configures a default password: /etc/openshift/broker.conf:MONGO_PASSWORD="mooo" /etc/openshift/broker.conf:MONGO_PASSWORD="mongopass" Please note that the optional installer also did this previously: https://github.com/openshift/openshift-extras/blob/enterprise-2.0/enterprise/install-scripts/generic/openshift.sh For the openshift.sh script, we think you might mean something like (this isn't really the right branch): https://github.com/openshift/openshift-extras/commit/4339020c62e43fa16f2145d46636f7dc0e26327f in which, possibly, the scope of the CVE is both: enterprise/install-scripts/generic/openshift.sh and enterprise/install-scripts/openshift.ks but not enterprise/install-scripts/amazon/openshift-amz.sh which has a different type of issue? Possibly a more important question is the status of MONGO_PASSWORD="mooo" - there's no "mooo" anywhere in 4339020c62e43fa16f2145d46636f7dc0e26327f. Instead, "mooo" apparently comes from: https://github.com/openshift/origin-server/blob/master/broker/conf/broker.conf and is not yet fixed in that github.com copy of the code. So, we could potentially model this as: 1. "different affected versions" in the sense that if someone wasn't using Red Hat's RPMs and instead updated everything from github.com after seeing RHSA-2014:0487-1, they would have the 4339020c62e43fa16f2145d46636f7dc0e26327f patches but would still have "mooo" or 2. "different affected products" in the sense that "mooo" is a vulnerability affecting the OpenShift Enterprise product (or specifically the openshift/origin-server package), whereas 4339020c62e43fa16f2145d46636f7dc0e26327f is a non-identical vulnerability in the openshift/openshift-extras package In other words, we don't know the interpretation in which "mooo" and 4339020c62e43fa16f2145d46636f7dc0e26327f end up with the same CVE ID. (We didn't try to determine why your quoted broker.conf has two MONGO_PASSWORD= lines, but https://github.com/openshift/origin-server/blob/master/broker/conf/broker.conf has only one MONGO_PASSWORD= line.) > I also wanted to open up a discussion as well, what counts as shipped > software, e.g. more and more projects have a bash script linked off > the front page/install page, my take on this is if it's "officially" > endorsed by the project and prominent it should probably count as > "shipped" software and get a CVE (assuming it has a security flaw), > but we shouldn't assign CVE's to every instance of install scripts The pre-4339020c62e43fa16f2145d46636f7dc0e26327f unpatched code such as https://github.com/openshift/openshift-extras/blob/9ecba01d34d7231cc05f04710217ddcee53202ad/enterprise/install-scripts/generic/openshift.sh contained this comment: # While this script serves as a good example script for installing a # single host, it is not comprehensive nor robust enough to be considered # a proper enterprise installer on its own. Production installations will # typically require significant adaptations or an entirely different # method of installation. Please adapt it to your needs. Typically, if a piece of code is simply not intended to be used as-is, it can't have CVE assignments for its vulnerabilities. The situation would be different if (for example) any Linux distribution shipped openshift.sh with conflicting documentation, or executed openshift.sh automatically. This might mean that the best scope of CVE-2014-0234 is only the default broker.conf file (because that issue is known to actually affect the Red Hat OpenShift Enterprise 2 product). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJThthaAAoJEKllVAevmvms0xwH/28iARTXGytwn4Ee39iWWGK1 IAU3ofRZe/yxNLxlyBFZcCUJf6qVZaBszEolXn5BW4rRfeVLQwXR7Mt4RYJlhl6i WCiJloGWuOyAi45fHGFwB7uq+6f0UfuCANW+zgmxmh4oxoJranCaD9Q/L2eMlg60 N4bJkGqLCsN1srVCtboTZlPX8PedxokcLzwTWw8nboruQf5p0dVAXZmbmUETfUHq mVDNdods1k6N/AtGdHfu4wCEZpDDgQrdcCel2IKI2ftitmaLqCXfQ8cCMMXEHakJ F4MQ2KKL96v+W3sK/qQsciQ6UtNBAgC06zE60E/FF8EQPOrpfpKXoC4M9R8W2B4= =1753 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.