xCAT/xcat-core
2
0
Fork 0
mirror of https://github.com/xcat2/xcat-core.git synced 2025-08-21 10:40:24 +00:00
Code Issues Releases Wiki Activity

Add security bulletin for removal of hard coded password

Browse Source
This commit is contained in:
Victor Hu
2016-11-18 10:49:29 -05:00
parent bc0dcddcb0
commit 167fb753a8
2 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
docs/source/security/2016/20161130_hard_code_password.rst Normal file
View File

@@ -0,0 +1,60 @@
2016-11-30 - Removal of Service Stream Password
===============================================
It has been brought to our attention that the xCAT product has hard-coded default passwords for the HMC/FSP to allow for IBM Service to connect to customer machines for L2/L3 support activities. This creates a security vulnerability where third parties could potentially gain root level access using these weak, hard coded passwords.
Example: ::
create_pwd => "netsDynPwdTool --create dev FipSdev",
password => "FipSdev"
In response, xCAT will remove these hard-coded password and interfaces from the xCAT code.
Action
------
No action is required for xCAT 2.12.3, and higher.
If running older versions of xCAT, update xCAT to a higher level code base that has the hard-coded default passwords removed.
The following table describes the recommended update path:
+-------------------------+-----------------------------------+---------------------------------------+
| xCAT Version | Action | Release Notes |
+=========================+===================================+=======================================+
| **2.13**, or higher | No applicable | |
| | | |
+-------------------------+-----------------------------------+---------------------------------------+
| **2.12.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes <https:// |
| | | github.com/xcat2/xcat-core/wiki |
| | | /XCAT_2.12.3_Release_Notes>`_ |
+-------------------------+-----------------------------------+---------------------------------------+
| **2.11.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes <https:// |
| | | github.com/xcat2/xcat-core/wiki |
| | | /XCAT_2.12.3_Release_Notes>`_ |
+-------------------------+-----------------------------------+---------------------------------------+
| **2.10.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes <https:// |
| | | github.com/xcat2/xcat-core/wiki |
| | | /XCAT_2.12.3_Release_Notes>`_ |
+-------------------------+-----------------------------------+---------------------------------------+
| **2.9.x** | Update to **2.9.4**, or higher | `2.9.4 Release Notes <https:// |
| | | github.com/xcat2/xcat-core/wiki |
| | | /XCAT_2.9.4_Release_Notes>`_ |
+-------------------------+-----------------------------------+---------------------------------------+
| **2.8.x** | Update to **2.9.4**, or higher | `2.9.4 Release Notes <https:// |
| | | github.com/xcat2/xcat-core/wiki |
| | | /XCAT_2.9.4_Release_Notes>`_ |
+-------------------------+-----------------------------------+---------------------------------------+
| **2.7.x** | Update to **2.7.10**, or higher | `2.7.10 Release Notes <https:// |
| | | github.com/xcat2/xcat-core/wiki |
| | | /XCAT_2.7.10_Release_Notes>`_ |
+-------------------------+-----------------------------------+---------------------------------------+
| **2.6.x**, or earlier | Update to **2.7.10**, or higher | `2.7.10 Release Notes <https:// |
| | | github.com/xcat2/xcat-core/wiki |
| | | /XCAT_2.7.10_Release_Notes>`_ |
| | | |
+-------------------------+-----------------------------------+---------------------------------------+

1
docs/source/security/2016/index.rst
View File

@@ -4,6 +4,7 @@
.. toctree::
:maxdepth: 1
20161130_hard_code_password.rst
20160824_openssl.rst
20160815_openssl.rst
20160503_openssl.rst