You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by John Kinsella <jl...@stratosec.co> on 2012/10/07 22:15:16 UTC
[CVE-2012-4501] CloudStack security announcement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2012-4501: Apache CloudStack configuration vulnerability
Severity: Critical
Vendors:
The Apache Software Foundation
Citrix, Inc.
Versions Affected:
As no official releases have been made, this does not affect any
official Apache CloudStack releases.
Anybody using a version of CloudStack generated from the Apache
CloudStack source tree prior to October 7th, 2012 will need to take
the actions specified below. Please note this includes both Citrix
CloudStack commercial and open-source, pre-ASF versions.
Description:
The CloudStack PPMC was notified of a configuration vulnerability that
exists in development versions of the Apache Incubated CloudStack
project. This vulnerability allows a malicious user to execute
arbitrary CloudStack API calls. A malicious user could, for example,
delete all VMs in the system.
Addressing this issue is especially important for anybody using
CloudStack in a public environment.
Mitigation:
1) Login to the CloudStack Database via MySQL
$ mysql -u cloud -p -h host-ip-address
(enter password as prompted)
2) Disable the system user and set a random password:
mysql> update cloud.user set password=RAND() where id=1;
3) Exit MySQL
mysql> \q
Alternatively, users can update to a version of CloudStack based on
the git repository on or after October 7th, 2012.
Credit:
This issue was identified by Hugo Trippaers of Schuberg Philis.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBCgAGBQJQceLUAAoJEOom9N0pCN7SR0oQAJqezwqQnJjUENwjAkJjeR/i
7Ehaq93YesCUPiWml9NSqWU9pqbDEMsBrpghAeFuFK0K3UFII7FJsqGhNA1fauJU
D01LuskjQ1JfTC9bdHrlsnkNZKDN28Bb8Nr5dAhzHvCY2C25vKTXkKlxaOwjih7O
3p1mz778tWgLJ2ONFcoLGGyM7zaMnn2YnvH+KFXaA1n0KXbduZJOVvH1wOjxhm/H
zpSSiSK5xKoLtDz854u8EioO/Ut+jafY6L7EiDtOZfuhMepgOKuhplP7EUwy0D9X
fQGFiXc07AmfG9+kVSSom3Yn7glN3Tzr5eIj//EvExoIdbqZhNEAP++Gc+gQJlZx
0wieSl4jksUIexsmTSZonHuyEmYRzLDF2U2HWnr7t3iIWSB1Exn1k9V2m8FByJ+H
wGhw+OiwHXsVs8+LHpz5w3Lhu6aVP+25XjVPq9T7B+lTxGEqd+jb4S+SQwGPA8mf
AQR78Z/5oRdMYHDFgLzBqgg6fclr/Gavjkw9y9blGq+XzaHeLU0LYB+mjsruLzFq
xLcCVvJQVzfglGVxZPS0FmtnCMXhqXq78PEnsTP40nFxpufkItVSB56p4M5gYgez
82QVHbyqf5ZfIaddGDe5OYYmxB59zdoHbAPtYFBmlqdaD2VQFW+0iStEPc8RNy7b
kWN41XQXEMBKsuXPQofA
=aaLc
-----END PGP SIGNATURE-----