Return-Path: <issues-return-82994-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 13584200CBD
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  6 Jul 2017 12:34:11 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 11FF516602E; Thu,  6 Jul 2017 10:34:11 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 59F68166024
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  6 Jul 2017 12:34:10 +0200 (CEST)
Received: (qmail 4680 invoked by uid 500); 6 Jul 2017 10:34:09 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 4570 invoked by uid 500); 6 Jul 2017 10:34:09 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 4355 invoked by uid 99); 6 Jul 2017 10:34:09 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Jul 2017 10:34:09 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id E0F411AF8AD
	for <cloudstack-issues@incubator.apache.org>; Thu,  6 Jul 2017 10:34:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id dALRu04La7VB
	for <cloudstack-issues@incubator.apache.org>;
	Thu,  6 Jul 2017 10:34:08 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id B67A35FD7C
	for <cloudstack-issues@incubator.apache.org>; Thu,  6 Jul 2017 10:34:06 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 80B4BE0E1D
	for <cloudstack-issues@incubator.apache.org>; Thu,  6 Jul 2017 10:34:05 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 315782464C
	for <cloudstack-issues@incubator.apache.org>; Thu,  6 Jul 2017 10:34:04 +0000 (UTC)
Date: Thu, 6 Jul 2017 10:34:04 +0000 (UTC)
From: "Rajani Karuturi (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.13073766.1495433206000.183424.1499337244201@Atlassian.JIRA>
In-Reply-To: <JIRA.13073766.1495433206000@Atlassian.JIRA>
References: <JIRA.13073766.1495433206000@Atlassian.JIRA> <JIRA.13073766.1495433206887@jira-lw-us.apache.org>
Subject: [jira] [Updated] (CLOUDSTACK-9927) Root admin user should be forced
 to change password
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 06 Jul 2017 10:34:11 -0000


     [ https://issues.apache.org/jira/browse/CLOUDSTACK-9927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rajani Karuturi updated CLOUDSTACK-9927:
----------------------------------------
    Fix Version/s:     (was: 4.10.0.0)
                   4.10.1.0

> Root admin user should be forced to change password
> ---------------------------------------------------
>
>                 Key: CLOUDSTACK-9927
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9927
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>            Reporter: Harikrishna Patnala
>            Assignee: Harikrishna Patnala
>             Fix For: 4.10.1.0
>
>
> The default password for the root admin in CloudStack is "password". The user is not required to change this password.
> Using CloudStack with the default password is the same as using it with no password. An attacker could log onto the management UI or API and make changes to the system, delete or steal resources, and stop services.
> Mitigation:
> Do not continue in UI until admin has changed his password to something other than the default. Also, do not permit the admin to change his password back to the default one later.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)