From 167fb753a8655516f125405ed70bfb9445a74ea9 Mon Sep 17 00:00:00 2001 From: Victor Hu Date: Fri, 18 Nov 2016 10:49:29 -0500 Subject: [PATCH 1/3] Add security bulletin for removal of hard coded password --- .../2016/20161130_hard_code_password.rst | 60 +++++++++++++++++++ docs/source/security/2016/index.rst | 1 + 2 files changed, 61 insertions(+) create mode 100644 docs/source/security/2016/20161130_hard_code_password.rst diff --git a/docs/source/security/2016/20161130_hard_code_password.rst b/docs/source/security/2016/20161130_hard_code_password.rst new file mode 100644 index 000000000..5c1fb3988 --- /dev/null +++ b/docs/source/security/2016/20161130_hard_code_password.rst @@ -0,0 +1,60 @@ +2016-11-30 - Removal of Service Stream Password +=============================================== + +It has been brought to our attention that the xCAT product has hard-coded default passwords for the HMC/FSP to allow for IBM Service to connect to customer machines for L2/L3 support activities. This creates a security vulnerability where third parties could potentially gain root level access using these weak, hard coded passwords. + + + Example: :: + + create_pwd => "netsDynPwdTool --create dev FipSdev", + password => "FipSdev" + + +In response, xCAT will remove these hard-coded password and interfaces from the xCAT code. + + +Action +------ + +No action is required for xCAT 2.12.3, and higher. + +If running older versions of xCAT, update xCAT to a higher level code base that has the hard-coded default passwords removed. + +The following table describes the recommended update path: + ++-------------------------+-----------------------------------+---------------------------------------+ +| xCAT Version | Action | Release Notes | ++=========================+===================================+=======================================+ +| **2.13**, or higher | No applicable | | +| | | | ++-------------------------+-----------------------------------+---------------------------------------+ +| **2.12.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------+---------------------------------------+ +| **2.11.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------+---------------------------------------+ +| **2.10.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------+---------------------------------------+ +| **2.9.x** | Update to **2.9.4**, or higher | `2.9.4 Release Notes `_ | ++-------------------------+-----------------------------------+---------------------------------------+ +| **2.8.x** | Update to **2.9.4**, or higher | `2.9.4 Release Notes `_ | ++-------------------------+-----------------------------------+---------------------------------------+ +| **2.7.x** | Update to **2.7.10**, or higher | `2.7.10 Release Notes `_ | ++-------------------------+-----------------------------------+---------------------------------------+ +| **2.6.x**, or earlier | Update to **2.7.10**, or higher | `2.7.10 Release Notes `_ | +| | | | ++-------------------------+-----------------------------------+---------------------------------------+ + diff --git a/docs/source/security/2016/index.rst b/docs/source/security/2016/index.rst index 43cebeb61..e0db9a230 100644 --- a/docs/source/security/2016/index.rst +++ b/docs/source/security/2016/index.rst @@ -4,6 +4,7 @@ .. toctree:: :maxdepth: 1 + 20161130_hard_code_password.rst 20160824_openssl.rst 20160815_openssl.rst 20160503_openssl.rst From 046cfe97a37c4d80a45f0438f3435db3993b7dd8 Mon Sep 17 00:00:00 2001 From: Victor Hu Date: Tue, 22 Nov 2016 13:17:31 -0500 Subject: [PATCH 2/3] Add more information to the tables to indicate the different update path for Linux vs AIX --- .../2016/20161130_hard_code_password.rst | 73 ++++++++++--------- 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/docs/source/security/2016/20161130_hard_code_password.rst b/docs/source/security/2016/20161130_hard_code_password.rst index 5c1fb3988..e9f57fd69 100644 --- a/docs/source/security/2016/20161130_hard_code_password.rst +++ b/docs/source/security/2016/20161130_hard_code_password.rst @@ -22,39 +22,42 @@ If running older versions of xCAT, update xCAT to a higher level code base that The following table describes the recommended update path: -+-------------------------+-----------------------------------+---------------------------------------+ -| xCAT Version | Action | Release Notes | -+=========================+===================================+=======================================+ -| **2.13**, or higher | No applicable | | -| | | | -+-------------------------+-----------------------------------+---------------------------------------+ -| **2.12.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | -+-------------------------+-----------------------------------+---------------------------------------+ -| **2.11.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | -+-------------------------+-----------------------------------+---------------------------------------+ -| **2.10.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | -+-------------------------+-----------------------------------+---------------------------------------+ -| **2.9.x** | Update to **2.9.4**, or higher | `2.9.4 Release Notes `_ | -+-------------------------+-----------------------------------+---------------------------------------+ -| **2.8.x** | Update to **2.9.4**, or higher | `2.9.4 Release Notes `_ | -+-------------------------+-----------------------------------+---------------------------------------+ -| **2.7.x** | Update to **2.7.10**, or higher | `2.7.10 Release Notes `_ | -+-------------------------+-----------------------------------+---------------------------------------+ -| **2.6.x**, or earlier | Update to **2.7.10**, or higher | `2.7.10 Release Notes `_ | -| | | | -+-------------------------+-----------------------------------+---------------------------------------+ ++-------------------------+-----------------------------------------------+---------------------------------------+ +| xCAT Version | Action | Release Notes | ++=========================+===============================================+=======================================+ +| **2.13**, or higher | No applicable | | +| | | | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.12.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.11.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.10.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.9.x** | Update to: | `2.9.4 Release Notes `_ | +| | - **2.12.3**, or higher for **LINUX** | | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.8.x** | Update to: | `2.9.4 Release Notes `_ | +| | - **2.12.3**, or higher for **LINUX** | | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.7.x** | Update to: | `2.7.10 Release Notes `_ | +| | - **2.12.3**, or higher for **LINUX** | | ++-------------------------+-----------------------------------------------+---------------------------------------+ +| **2.6.x**, or earlier | Update to **2.7.10**, or higher | `2.7.10 Release Notes `_ | +| | | | ++-------------------------+-----------------------------------------------+---------------------------------------+ From 45a7f59b853b8d67f512408e1d25f1fdd02913be Mon Sep 17 00:00:00 2001 From: Victor Hu Date: Wed, 30 Nov 2016 12:27:31 -0500 Subject: [PATCH 3/3] Update the table to reflect the update path for security bulletin to be for 2.9 release only for AIX --- .../2016/20161130_hard_code_password.rst | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/docs/source/security/2016/20161130_hard_code_password.rst b/docs/source/security/2016/20161130_hard_code_password.rst index e9f57fd69..80d81a695 100644 --- a/docs/source/security/2016/20161130_hard_code_password.rst +++ b/docs/source/security/2016/20161130_hard_code_password.rst @@ -25,7 +25,7 @@ The following table describes the recommended update path: +-------------------------+-----------------------------------------------+---------------------------------------+ | xCAT Version | Action | Release Notes | +=========================+===============================================+=======================================+ -| **2.13**, or higher | No applicable | | +| **2.13**, or newer | No applicable | | | | | | +-------------------------+-----------------------------------------------+---------------------------------------+ | **2.12.x** | Update to **2.12.3**, or higher | `2.12.3 Release Notes `_ | +-------------------------+-----------------------------------------------+---------------------------------------+ -| **2.9.x** | Update to: | `2.9.4 Release Notes `_ | | | - **2.12.3**, or higher for **LINUX** | | +-------------------------+-----------------------------------------------+---------------------------------------+ -| **2.8.x** | Update to: | `2.9.4 Release Notes `_ | -| | - **2.12.3**, or higher for **LINUX** | | -+-------------------------+-----------------------------------------------+---------------------------------------+ -| **2.7.x** | Update to: | `2.7.10 Release Notes `_ | -| | - **2.12.3**, or higher for **LINUX** | | -+-------------------------+-----------------------------------------------+---------------------------------------+ -| **2.6.x**, or earlier | Update to **2.7.10**, or higher | `2.7.10 Release Notes `_ | -| | | | -+-------------------------+-----------------------------------------------+---------------------------------------+