Tuesday, October 9, 2012

CloudStack Configuration Vulnerability Discovered

CloudStack Configuration Vulnerability Discovered:
A configuration vulnerability has been discovered in CloudStack that could allow a malicious user to execute arbitrary CloudStack API calls, such as deleting all VMs being managed by CloudStack. John Kinsella of the Apache CloudStack PPMC announced the vulnerability on Sunday. The issue does have a workaround that can be applied immediately.

Severity

This is considered a critical vulnerability. You should take action to mitigate the issue immediately. Note that this can be mitigated with no downtime.

Affected Versions

All versions of CloudStack released by Citrix/Cloud.com are believed to be affected. If you’re running a version of CloudStack from the ASF git repository prior to October 7th for testing/development, that is also affected. Note that there have been no official releases from the Apache project as of yet.

Known Exploits

There are no known exploits at this time.

Mitigation

If you’re running an affected version of CloudStack, you can close this vulnerability by doing the following:
  • Log in to the CloudStack database via MySQL:
$mysql -u cloud -p -h host-ip-address
  • Disable the system user and set a random password:

mysql> update cloud.user set password=RAND() where id=1;

mysql> quit;

Updates

This issue has been addressed in Apache CloudStack and should not affect any of the podling’s upcoming releases.

No comments:

Post a Comment