atom feed1 message in org.apache.incubator.cloudstack-dev[CVE-2012-4501] CloudStack security a...
FromSent OnAttachments
John KinsellaOct 7, 2012 1:14 pm 
Subject:[CVE-2012-4501] CloudStack security announcement
From:John Kinsella (jl@stratosec.co)
Date:Oct 7, 2012 1:14:53 pm
List:org.apache.incubator.cloudstack-dev

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

CVE-2012-4501: Apache CloudStack configuration vulnerability

Severity: Critical

Vendors: The Apache Software Foundation Citrix, Inc.

Versions Affected: As no official releases have been made, this does not affect any official Apache CloudStack releases.

Anybody using a version of CloudStack generated from the Apache CloudStack source tree prior to October 7th, 2012 will need to take the actions specified below. Please note this includes both Citrix CloudStack commercial and open-source, pre-ASF versions.

Description: The CloudStack PPMC was notified of a configuration vulnerability that exists in development versions of the Apache Incubated CloudStack project. This vulnerability allows a malicious user to execute arbitrary CloudStack API calls. A malicious user could, for example, delete all VMs in the system.

Addressing this issue is especially important for anybody using CloudStack in a public environment.

Mitigation: 1) Login to the CloudStack Database via MySQL $ mysql -u cloud -p -h host-ip-address (enter password as prompted)

2) Disable the system user and set a random password: mysql> update cloud.user set password=RAND() where id=1;

3) Exit MySQL mysql> \q

Alternatively, users can update to a version of CloudStack based on the git repository on or after October 7th, 2012.

Credit: This issue was identified by Hugo Trippaers of Schuberg Philis. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBCgAGBQJQceLUAAoJEOom9N0pCN7SR0oQAJqezwqQnJjUENwjAkJjeR/i 7Ehaq93YesCUPiWml9NSqWU9pqbDEMsBrpghAeFuFK0K3UFII7FJsqGhNA1fauJU D01LuskjQ1JfTC9bdHrlsnkNZKDN28Bb8Nr5dAhzHvCY2C25vKTXkKlxaOwjih7O 3p1mz778tWgLJ2ONFcoLGGyM7zaMnn2YnvH+KFXaA1n0KXbduZJOVvH1wOjxhm/H zpSSiSK5xKoLtDz854u8EioO/Ut+jafY6L7EiDtOZfuhMepgOKuhplP7EUwy0D9X fQGFiXc07AmfG9+kVSSom3Yn7glN3Tzr5eIj//EvExoIdbqZhNEAP++Gc+gQJlZx 0wieSl4jksUIexsmTSZonHuyEmYRzLDF2U2HWnr7t3iIWSB1Exn1k9V2m8FByJ+H wGhw+OiwHXsVs8+LHpz5w3Lhu6aVP+25XjVPq9T7B+lTxGEqd+jb4S+SQwGPA8mf AQR78Z/5oRdMYHDFgLzBqgg6fclr/Gavjkw9y9blGq+XzaHeLU0LYB+mjsruLzFq xLcCVvJQVzfglGVxZPS0FmtnCMXhqXq78PEnsTP40nFxpufkItVSB56p4M5gYgez 82QVHbyqf5ZfIaddGDe5OYYmxB59zdoHbAPtYFBmlqdaD2VQFW+0iStEPc8RNy7b kWN41XQXEMBKsuXPQofA =aaLc -----END PGP SIGNATURE-----