Building the Cloud: Notes on Apache CloudStack (incubating)
Notes on work that's going on in the Apache CloudStack (incubating) project. Event announcements, progress reports, and more.
CloudStack Configuration Vulnerability Discovered
A configuration vulnerability has been discovered in CloudStack that could allow a malicious user to execute arbitrary CloudStack API calls, such as deleting all VMs being managed by CloudStack. John Kinsella of the Apache CloudStack PPMC announced the vulnerability on Sunday. The issue does have a workaround that can be applied immediately.
This is considered a critical vulnerability. You should take action to mitigate the issue immediately. Note that this can be mitigated with no downtime.
All versions of CloudStack released by Citrix/Cloud.com are believed to be affected. If you’re running a version of CloudStack from the ASF git repository prior to October 7th for testing/development, that is also affected. Note that there have been no official releases from the Apache project as of yet.
There are no known exploits at this time.
If you’re running an affected version of CloudStack, you can close this vulnerability by doing the following:
- Log in to the CloudStack database via MySQL:
$mysql -u cloud -p -h host-ip-address
- Disable the system user and set a random password:
mysql> update cloud.user set password=RAND() where id=1;
This issue has been addressed in Apache CloudStack and should not affect any of the podling’s upcoming releases.