Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1063188 - Just provide confirm password for admin can be succeed
Summary: Just provide confirm password for admin can be succeed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.5.0
Assignee: Fabian Deutsch
QA Contact: Virtualization Bugs
URL:
Whiteboard: node
Depends On:
Blocks: 1065425 1072455 1123329 rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2014-02-10 09:03 UTC by wanghui
Modified: 2016-02-10 20:05 UTC (History)
17 users (show)

Fixed In Version: ovirt-node-3.0.1-18.el6.7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 20:52:03 UTC
oVirt Team: Node
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2015:0160 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update 2015-02-12 01:34:52 UTC
oVirt gerrit 24308 None None None Never

Description wanghui 2014-02-10 09:03:12 UTC
Description of problem:
It will re-set the admin password if you only provide confirm password. And it will result the admin can login without provide password.

It also trigger to disable CIM when just provide confirm password without enable CIM.

Version-Release number of selected component (if applicable):
rhevh-6.5-20140120.0
ovirt-node-3.0.1-18.el6_5.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install rhevh-6.5-20140120.0.
2. Re-set admin password as follows.
   Password:          __________
   Confirm Password:  redhat
3. Logout and login with admin
4. Configure CIM as follows.
   Enable CIM     []
    CIM password
   Password:          __________
   Confirm Password:  redhat

Actual results:
1. After step2, it will prompt that all changes were applied successfully.
2. After step3, it will not require admin password and login directly.
3. After step4, it will prompt that all changes were applied successfully.

Expected results:
1. It should not allow just provide confirm password to change the admin password or trigger to configure CIM.

Additional info:

Comment 2 wanghui 2014-02-11 08:33:54 UTC
No such issue in RHEV-H 6.4-20131003.0.el6. So this issue should be a regression bug.

Comment 3 Ying Cui 2014-02-11 09:20:27 UTC
Hi Fabian,
   This bug is regression bug, can we try to fix it asap(6.5update2)?

Thanks
Ying

Comment 4 haiyang,dong 2014-02-11 09:45:46 UTC
Add elif statement to check password == "" and confirmation != ""
http://gerrit.ovirt.org/#/c/24308/

Comment 5 haiyang,dong 2014-02-11 12:24:33 UTC
Using jenkins build :
http://jenkins.ovirt.org/job/node-devel/1438/distro=centos64/artifact/ovirt-node-iso-3.1.0-0.999.1438.el6.iso

to test follow:
For admin password and CIM password,
(a)if you only provide confirm password, it will prompt "Please Check Password Entry" and disable "Save" button.
(b)if you only provide password, it will prompt "Please Check Confirm Password Entry" and disable "Save" button.

Comment 7 Murray McAllister 2014-02-20 02:21:18 UTC
Thanks for your report! I am not sure if we need to treat this as a security issue as I assume you need to know the administrator password to get to the password reset functionality in the first place.

I am going to see if Petr Matousek, the security response team's RHEV expert, can take a quick look.

Thanks,

--
Murray McAllister / Red Hat Security Response Team

Comment 8 Fabian Deutsch 2014-02-21 08:28:43 UTC
Hey Murray,

I already reached out to Petr and this is no security issue.

I guess I was using the Security keyword incorrectly. Until now I thought that it was used to "tag" possible security related bugs, but it seems that this will also automatically pull someone in from the SRT, is that correct?

Comment 9 Murray McAllister 2014-02-26 03:25:00 UTC
I believe you are using it correctly. I should have checked with Petr first before asking in the bug.

And yes, SRT will be notified when a bug is tagged with the security keyword, but please continue to use it if you have possible security related bugs.

Sorry for all the noises!

Comment 13 wanghui 2014-12-17 06:18:23 UTC
Test Version:
rhev-hypervisor6-6.6-20141212.0
ovirt-node-3.1.0-0.34.20141210git0c9c493.el6.noarch

Steps to Reproduce:
1. Install rhev-hypervisor6-6.6-20141212.0.
2. Re-set admin password as follows.
   Password:          __________
   Confirm Password:  redhat
3. Configure CIM as follows.
   Enable CIM     []
    CIM password
   Password:          __________
   Confirm Password:  redhat

Actual results:
1. After step2, it can not click save button.
3. After step3, it can not click save button.

So this issue is fixed in rhev-hypervisor6-6.6-20141212.0 now. Change the status from ON_QA to Verified.

Comment 14 wanghui 2014-12-17 06:22:10 UTC
And also no such issue in rhev-hypervisor7-7.0-20141212.0.

Comment 16 errata-xmlrpc 2015-02-11 20:52:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0160.html


Note You need to log in before you can comment on or make changes to this bug.