satis egitimisatis egitimitengda.pro

Building the Cloud: Notes on Apache CloudStack (incubating)

Notes on work that's going on in the Apache CloudStack (incubating) project. Event announcements, progress reports, and more.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that has been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Login
Posted by on in Product News
  • Font size: Larger Smaller
  • Hits: 28626
  • Print
  • Report this post

CloudStack Configuration Vulnerability Discovered

A configuration vulnerability has been discovered in CloudStack that could allow a malicious user to execute arbitrary CloudStack API calls, such as deleting all VMs being managed by CloudStack. John Kinsella of the Apache CloudStack PPMC announced the vulnerability on Sunday. The issue does have a workaround that can be applied immediately.

Severity

This is considered a critical vulnerability. You should take action to mitigate the issue immediately. Note that this can be mitigated with no downtime.

Affected Versions

All versions of CloudStack released by Citrix/Cloud.com are believed to be affected. If you’re running a version of CloudStack from the ASF git repository prior to October 7th for testing/development, that is also affected. Note that there have been no official releases from the Apache project as of yet.

Known Exploits

There are no known exploits at this time.

Mitigation

If you’re running an affected version of CloudStack, you can close this vulnerability by doing the following:

  • Log in to the CloudStack database via MySQL:

$mysql -u cloud -p -h host-ip-address

  • Disable the system user and set a random password:

mysql> update cloud.user set password=RAND() where id=1;
mysql> quit;

Updates

This issue has been addressed in Apache CloudStack and should not affect any of the podling’s upcoming releases.

Rate this blog entry:
Joe Brockmeier, known to many as "Zonker," is a member of the CloudStack evangelism team at Citrix. Prior to joining Citrix, Joe worked with Novell as the openSUSE community manager, and as Editor-in-Chief of Linux Magazine. He's also worked as a freelance technology journalist, and has written for LWN, NetworkWorld, ReadWriteWeb, and many other publications.
  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest Saturday, 19 July 2014

Open@Citrix

Citrix supports the open source community via developer support and evangeslism. We have a number of developers and evangelists that participate actively in the open source community in Apache Cloudstack, OpenDaylight, Xen Project and XenServer. We also conduct educational activities via the Build A Cloud events held all over the world. 

Connect