bugbot adjusting priority

An update workflow for this issue was started.

This issue was rated as "important".
Please submit fixed packages until "Jan. 18, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/121250/.

(In reply to Johannes Segitz from comment #0)
> Looks like our package starting from SLE 12 also have a configuration that
> allows access by default. Rating major because it's enabled by default after
> install and network accessible. In our README there is a hint to set the
> credentials, but no mention of the default credentials. I would prefer
> removing the default credentials instead of documenting it.

Nagios is not available on SLE12, so this could be marked as invalid ;-)
But I guess you mean the successor, Icinga, which indeed comes with an htaccess file containing the standard user and password mentioned in README.SUSE:

[...]
1. Install icinga
2. Install the needed nagios-plugins
3. If you need or want the classic gui, install icinga-www. If you want plain
   monitoring with icinga core and configure everything else by hand, you are done.
3.1 An example user icingaadmin with password icingaadmin is installed to
  /etc/icinga/htpasswd.users
3.1 Add a new basic auth user for apache:
  # htpasswd /etc/icinga/htpasswd.users youradmin
[...]

This is also documented (with slightly different path names, of course) Upstream:
 http://docs.icinga.org/latest/en/quickstart-icinga.html#configclassicui

------

Switching over to our nagios package, which is on SLE11 and openSUSE.

This contains in README.SUSE:

[...]
******************************************************************
* Remember to create a htpasswd.users file in /etc/nagios:
*   htpasswd2 -c /etc/nagios/htpasswd.users nagiosadmin 
* And set the correct rights for this file:
*   chmod 640 /etc/nagios/htpasswd.users
*   chown root:www /etc/nagios/htpasswd.users
*
* You should also add a mail alias for the nagiosadmin to your
* /etc/aliases file like:
* nagiosadmin: root
* and afterwards update the database with "newaliases"
* Note: the RPM tries to do this automatically
******************************************************************
[...]
(taken from SUSE:SLE-11:Update)

------

So while icinga tells the user and password of the default credentials - and also the steps to create a new user, the Nagios package on SLE11 does not even contain a htpasswd file and explicitely asks the user to create one. The Nagios package on openSUSE has a htpasswd file containing the default user.

What to do?

Nagios on SLES:
* IMHO no changes needed, as per default the user can never log in (no htpasswd available) if he did not read the README.SUSE

Nagios on openSUSE:
* can either be enhanced in the documentation (telling the default credentials, which are otherwise in the upstream documentation anyway) or remove the htpasswd file again, which was added in the past to allow direct access after the installation of nagios on a machine

Icinga on SLES/openSUSE:
* we can enhance the documentation by adding an "how to change the default credentials" section or remove the htpasswd file from the package completely 


On all versions, we can also think about limiting the access via Apache rules to allow only localhost.


As I have no access to the mentioned links in comment #1 (at least not in a level to get some interesting data out of it), I would prefer the following (even if both upstream are currently doing it the other way around for usability):

1. Enhance our documentation
2. Remove the htpasswd file completely (or better place an empty one)
3. Restrict access to localhost

^^ 3 would be sufficient enough to fix this "bug", so I need an advice now how far we want to go locking the user out of the WebUI?

(In reply to Lars Vogdt from comment #4)
So from a security POV I'm for 1 & 2. The users should create the file themselves with their own credentials.

Maintenance rq 547321 submitted for icinga 1.14.0 on openSUSE Leap 42.2 (OBS)
Maintenance rq 547320 submitted for icinga 1.14.0 on openSUSE Leap 42.3 (OBS)

Icinga packages also updated in server:monitoring and submitted to Factory.

This is an autogenerated message for OBS integration:
This bug (961115) was mentioned in
https://build.opensuse.org/request/show/547320 42.2+42.3 / icinga
https://build.opensuse.org/request/show/547321 42.2+42.3 / icinga
https://build.opensuse.org/request/show/547323 Factory / nagios
https://build.opensuse.org/request/show/547324 Factory / icinga
https://build.opensuse.org/request/show/547331 42.2+42.3 / nagios
https://build.opensuse.org/request/show/547332 42.2+42.3 / nagios

This is an autogenerated message for OBS integration:
This bug (961115) was mentioned in
https://build.opensuse.org/request/show/547333 42.2+42.3 / nagios
https://build.opensuse.org/request/show/547334 42.2+42.3 / nagios

This is an autogenerated message for OBS integration:
This bug (961115) was mentioned in
https://build.opensuse.org/request/show/558566 Factory / icinga

This is an autogenerated message for OBS integration:
This bug (961115) was mentioned in
https://build.opensuse.org/request/show/641224 42.2+42.3 / icinga

This is an autogenerated message for OBS integration:
This bug (961115) was mentioned in
https://build.opensuse.org/request/show/641258 42.2+42.3 / nagios

openSUSE-SU-2018:3258-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1011630,1018047,952777,961115
CVE References: CVE-2015-8010,CVE-2016-0726,CVE-2016-10089,CVE-2016-8641
Sources used:
openSUSE Leap 42.3 (src):    icinga-1.14.0-8.3.2