Page MenuHomePhabricator

AQS Cassandra superuser has default password
Closed, ResolvedPublicSecurity

Description

The Cassandra superuser on the AQS cluster is using the (obvious, well-known) default password.

Event Timeline

BTullis subscribed.

I'll make a similar change to the private repo and apply it tomorrow, all being well. I might start with the old aqs servers, then promote it to the aqs_next servers once it's been shown to be harmless.

I've now updated the private repo with cassandra::super_password entries for both aqs and aqs_next.

It turns out that this was all that was required and a puppet run does correctly update all of the /etc/cassandra-${instance}/cqlshrc files.

@Eevans - you can now read this file and then update the cassandra instances at your convenience. Is that OK, or would you prefer me to do it?

I've now updated the private repo with cassandra::super_password entries for both aqs and aqs_next.

It turns out that this was all that was required and a puppet run does correctly update all of the /etc/cassandra-${instance}/cqlshrc files.

@Eevans - you can now read this file and then update the cassandra instances at your convenience. Is that OK, or would you prefer me to do it?

I'll take care of it; Thanks @BTullis !

sbassett added a project: SecTeam-Processed.
sbassett subscribed.

@Eevans - if the creds have been rotated, I assume there are no other issues in making this task public?

@Eevans - if the creds have been rotated, I assume there are no other issues in making this task public?

Nope; None that I am aware of!

sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.