You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by John Kinsella <jl...@stratosec.co> on 2013/04/25 01:23:39 UTC
Apache CloudStack Security Advisory: Multiple vulnerabilities in
Apache CloudStack
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Product: Apache CloudStack
Vendor: The Apache Software Foundation
CVE References: CVE-2013-2756, CVE-2013-2758
Vulnerability Type(s): Authentication bypass (2756), cryptography (2758)
Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and
4.0.1-incubating
Risk Level: High, Medium
CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3
(AV:A/AC:H/Au:N/CI:P/I:P/A:P)
Description:
The CloudStack PMC was notified of two issues found in Apache CloudStack:
1) An attacker with knowledge of CloudStack source code could gain
unauthorized access to the console of another tenant's VM.
2) Insecure hash values may lead to information disclosure. URLs
generated by Apache CloudStack to provide console access to virtual
machines contained a hash of a predictable sequence, the hash of
which was generated with a weak algorithm. While not easy to leverage,
this may allow a malicious user to gain unauthorized console access.
Mitigation:
Updating to Apache CloudStack versions 4.0.2 or higher will mitigate
these vulnerabilities.
Credit:
These issues were identified by Wolfram Schlich and Mathijs Schmittmann
to the Citrix security team, who in turn notified the Apache
CloudStack PMC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJReGl7AAoJEOom9N0pCN7Sr50P/0eXH56MdqWsRqSSQ20PobL2
Tgw3J5JgxTi1OVWlaq+5cdJO2RVbuXcT/FD5RgRYk8NSCFgzS8b3DCV+FQAjH1aL
BKGjroNfOLeEYcEYC5hsD3mDarNsJ1Wi0NvJqdbpvFuYQ50E05iCUpDhf2d8Zn/b
CQfd6ZHmduTs9UiigqwYY4QyG5aY1YKofZlv2VeXaSU+rY1mT8vU785O/nwd5x5f
pvoGBt4l544mRpdCh09c3d+9aTh879PWecGMxQ1a5fOJtGiPXkdezvsySwDEWfZ6
Hrcs682gDYpsyCZtQskfA58ijJGf+yyg0eH1zJF/ws86YBMMwI4oFGxBUuApPmTq
6KHm9Efv/fDzvQH0eT9MP8KSQ5Q5Vp6C4V8uQc77swiusnuS0ZkCk/owaXpqwEbj
//eeCforw39Im8O9JqjLjcKurneDFjsdsuuSahl9SOgAMnB4Paad58hk594FscUD
wGYxipICT/Qsl/+kjjg7I3hH8YBuvoWASkefdkQcCfPfecq/jQE5pPfyuAZmzBe4
m5TSsLU6R+0kUJHLw8Z9Amb7mCkwpJkLlp6RJGyENExU/C9pweNYp9sqEwnnkFPC
+1mqZxvEHJZe/RvwyyCGAaD6oyd11oGekU8rWxm4sDmVOIqdyIaE79LiDrQZ+Tzs
Ol6cqhf+Vjoq03KyhaoH
=fYw2
-----END PGP SIGNATURE-----