In association with heise online

09 October 2012, 17:11

CloudStack alert users to critical vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Cloud Security icon Citrix and the Apache Software Foundation have alerted users to a critical vulnerability in the CloudStack open source cloud infrastructure management software. All versions downloaded from the site will be vulnerable. CloudStack is also an incubating Apache project but there have been no official releases from Apache of that project. If users have taken the source from the Apache project, that software will be vulnerable.

Details of the issue were disclosed on Sunday; it appears that the system had a configuration issue which meant that any use could execute arbitrary CloudStack API calls such as deleting all the VMs in the system. A workaround, detailed in the various announcements, involves logging into the MySQL database that backs the system and setting a random password on the cloud.user account.

The Apache CloudStack code has been updated with a fix for the issue and it is believed that the issue should not affect any upcoming releases of the incubating Apache CloudStack project; version 4.0 has currently been frozen and a release candidate is expected soon.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit