CVE-2015-3252: Apache CloudStack VNC authentication issue

[John Kinsella <jl...@gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2015-3252: Apache CloudStack VNC authentication issue

CVSS v2:
4.3 (AV:N/AC:H/Au:M/C:P/I:P/A:P)

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.4.4, 4.5.1

Description:
Apache CloudStack sets a VNC password unique to each KVM virtual
machine under management. Upon migrating a VM from one host to
another, the VNC password is no longer set in KVM on the new host.

To leverage this issue, an attacker would need to have network
access to a CloudStack host to be able to connect via VNC directly.

Mitigation:
Users of Apache CloudStack and derivatives should ensure their hosts
are behind network firewalls, and should update to least version
4.5.2 or 4.6.0, depending on which tree is being used.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJWs/dCAAoJELAo8zo1KBbtsX8QAMf2s9OIY3FTbMbTIo/LBmLa
rOOE46SBcmypN1TCHKW0K9etymieI58CPX9LHNdtZcAMa1khl4uo/Euz0wGu0zZZ
awXahXEKUkLSTQDDYJP+8TmKvnIan/mYXRvPEHi2bMCtQ+CjY5qvcge9wXpFDKty
B3LP9n/zYDkQCvBLmjPuqIM+B4JXT9q/e3LsVQHrjhBxheY26CMrSRZ/aLxmzxbh
SSNs4oMZhLEPHoSt/lWsHYd/HxJ/eEjyQunP0UpO5d5/RZypYllPHcbaFPqtC4uK
55VB3JGyPiSEpxbbWEAqrPlOwCU9yNhRXnjdf3gc360NtdjncY1R49+VvUc6C+6u
FqPmy5LFja5uQ1w6/VDdwoT9GeBL9rooMFsLgRpv+FCKPYEtvvIbvot45xA5TCAi
MoU7RjYZoWHTmXLYcQOSSzFnySjLVqdrIL6fgu4gpehB/Od+sV+dwaKM/l03Ml8S
mTerjUNkG2e+pNuWk703aLv4YrKv63T2ga8Nli00BYSyzsxDupd+0XmBzvsLPCMY
uEbxBVVFSpIJMtTacBNgRQGFEQVh+DxPgDaXoZ6RFU/QKVZuWAq85qVEcbDjf8bM
0C6D3f5uXaFaXm4ff1FZ/s/4YOj4rm5EyawrM+Me218+PKMJPHzvsL8y10GCj1T8
s1S77QqgKhqFc+98Z1m3
=OY+T
-----END PGP SIGNATURE-----