Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Opsware Network Automation System Vendors:   Opsware
Opsware Network Automation System Discloses MySQL Password to Local Users
SecurityTracker Alert ID:  1016566
SecurityTracker URL:
CVE Reference:   CVE-2006-3878   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Jul 25 2006
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 6.0
Description:   A vulnerability was reported in the Opsware Network Automation System. A local user can obtain the MySQL database password.

The system installs a startup script in '/etc/init.d/mysqll' that contains the 'root' password selected for the MySQL MAX database during installation. The script has world-readable permissions. As a result, a local user can view the 'root' MySQL password.

Michael Freeman reported this vulnerability.

Impact:   A local user can obtain the MySQL database 'root' password.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   None.

 Source Message Contents

Subject:  Opsware NAS 6.0 reveals MySQL 'root' password

The Opsware Network Automation System (NAS) version 6.0 installation
places an 'init' style startup script in /etc/init.d/mysqll and places
the 'root' password that you choose for the MySQL MAX database during

The permissions on this small shell script are world readable, allowing
any user of the system to compromise the 'root' MySQL account. This
could reveal network intelligence including stored/shared authentication
credentials for network devices.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC