[jira] [Commented] (CLOUDSTACK-9927) Root admin user should be forced to change password

Sat, 06 Jan 2018 11:02:37 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16314838#comment-16314838
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9927:
--------------------------------------------

rhtyd commented on issue #2125: CLOUDSTACK-9927: Root admin user should be 
forced to change password …
URL: https://github.com/apache/cloudstack/pull/2125#issuecomment-355767965
 
 
   Thanks @harikrishna-patnala for the PR. I think the intention to force the 
admin to change the admin password is better to be suggested/enforced when 
`cloudstack-setup-databases` is run, i.e. during installation of the mgmt 
server but not via the UI. Given views from others, I'll close the PR but 
encourage sending another PR where the suggestion/enforcement may be performed 
via the `cloudstack-setup-databases` script which may display/print a warning 
when the default user/admin password is not changed.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Root admin user should be forced to change password
> ---------------------------------------------------
>
>                 Key: CLOUDSTACK-9927
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9927
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Management Server
>            Reporter: Harikrishna Patnala
>            Assignee: Harikrishna Patnala
>             Fix For: 4.10.1.0
>
>
> The default password for the root admin in CloudStack is "password". The user 
> is not required to change this password.
> Using CloudStack with the default password is the same as using it with no 
> password. An attacker could log onto the management UI or API and make 
> changes to the system, delete or steal resources, and stop services.
> Mitigation:
> Do not continue in UI until admin has changed his password to something other 
> than the default. Also, do not permit the admin to change his password back 
> to the default one later.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to