diff --git a/docs/source/security/2016/20161130_hard_code_password.rst b/docs/source/security/2016/20161130_hard_code_password.rst new file mode 100644 index 000000000..80d81a695 --- /dev/null +++ b/docs/source/security/2016/20161130_hard_code_password.rst @@ -0,0 +1,48 @@ +2016-11-30 - Removal of Service Stream Password +=============================================== + +It has been brought to our attention that the xCAT product has hard-coded default passwords for the HMC/FSP to allow for IBM Service to connect to customer machines for L2/L3 support activities. This creates a security vulnerability where third parties could potentially gain root level access using these weak, hard coded passwords. + + + Example: :: + + create_pwd => "netsDynPwdTool --create dev FipSdev", + password => "FipSdev" + + +In response, xCAT will remove these hard-coded password and interfaces from the xCAT code. + + +Action +------ + +No action is required for xCAT 2.12.3, and higher. + +If running older versions of xCAT, update xCAT to a higher level code base that has the hard-coded default passwords removed. + +The following table describes the recommended update path: + ++-------------------------+-----------------------------------------------+---------------------------------------+ +| xCAT Version | Action | Release Notes | ++=========================+===============================================+=======================================+ +| **2.13**, or newer | No applicable | | +| | | | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.12.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.11.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.10.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.9.x**, or older | Update to: | `2.9.4 Release Notes `_ | +| | - **2.12.3**, or higher for **LINUX** | | ++-------------------------+-----------------------------------------------+---------------------------------------+ + diff --git a/docs/source/security/2016/index.rst b/docs/source/security/2016/index.rst index 43cebeb61..e0db9a230 100644 --- a/docs/source/security/2016/index.rst +++ b/docs/source/security/2016/index.rst @@ -4,6 +4,7 @@ .. toctree:: :maxdepth: 1 + 20161130_hard_code_password.rst 20160824_openssl.rst 20160815_openssl.rst 20160503_openssl.rst