You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/08/01 18:43:02 UTC

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109488#comment-16109488 ] 

ASF subversion and git services commented on CLOUDSTACK-9705:
-------------------------------------------------------------

Commit 75c81d918a359e25be3928ef42feb36614467a88 in cloudstack's branch refs/heads/4.9 from [~anshulg]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=75c81d9 ]

CLOUDSTACK-9705: Unauthenticated API allows Admin password reset
 Now, Updating the password via UpdateUser API is not allowed via integration port

(cherry picked from commit d206336e1a89d45162c95228ce3486b31d476504)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>


> Unauthenticated API allows Admin password reset
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-9705
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Anshul Gangwar
>            Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator passwords. This presents a security risk becaues it allows for privilege escallation attacks. First, if the unauthenticated API is listening on the network (instead of locally) then any user on the network can reset admin passwords. If, the API is only listening locally, then any user with access to the local box can resset admin passwords. This would allow them to access other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords that have been lost or hyjacked, such a solution needs to be secure. We should either remove this feature from the Unauthenticated API, or provide a solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)