2016-11-30 - Removal of Service Stream Password¶
It has been brought to our attention that the xCAT product has hard-coded default passwords for the HMC/FSP to allow for IBM Service to connect to customer machines for L2/L3 support activities. This creates a security vulnerability where third parties could potentially gain root level access using these weak, hard coded passwords.
Example:
create_pwd => "netsDynPwdTool --create dev FipSdev", password => "FipSdev"
In response, xCAT will remove these hard-coded password and interfaces from the xCAT code.
Action¶
No action is required for xCAT 2.12.3, and higher.
If running older versions of xCAT, update xCAT to a higher level code base that has the hard-coded default passwords removed.
The following table describes the recommended update path:
xCAT Version | Action | Release Notes |
---|---|---|
2.13, or newer | No applicable | |
2.12.x | Update to 2.12.3, or higher | 2.12.3 Release Notes |
2.11.x | Update to 2.12.3, or higher | 2.12.3 Release Notes |
2.10.x | Update to 2.12.3, or higher | 2.12.3 Release Notes |
2.9.x, or older | Update to:
|
2.9.4 Release Notes |