davift opened a new issue, #13341: URL: https://github.com/apache/cloudstack/issues/13341
### The required feature described as a wish <img width="899" height="440" alt="Image" src="https://github.com/user-attachments/assets/893a3099-dcd5-4697-b213-54bbbfc76d45"; /> **Description:** CloudStack ships with a default administrative password and database encryption key, both set to the string "password". Neither value is randomized at install time, and the administrator is not prompted to change them during setup. Note that the database encryption key cannot be changed afterwards. **Affected Components:** Management **Impact:** An attacker with knowledge of the default credentials, which are publicly documented, can authenticate to the CloudStack Management UI without any prior reconnaissance or effort. Additionally, if the database encryption key is not changed, an attacker who gains read access to the database (e.g., via SQL injection, a misconfigured backup, or direct server access) can decrypt all protected fields, including API secret keys, passwords, and other credentials, using the known default key. **Steps to Reproduce:** - Deploy a fresh CloudStack instance following the official documentation. - Attempt to log in using the username `admin` and the password `password`. - Observe that login succeeds without any prompt to change the default password. - Separately, inspect the database encryption key on the management server: - $ cat /etc/cloudstack/management/key - Observe that the encryption key is set to the default value `password`. **Recommended Remediation:** Generate a unique password and database encryption key from a reliable source of entropy during installation (before the system becomes operational). Neither value should have a usable default. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
