CloudStack alert users to critical vulnerability
Citrix and the Apache Software Foundation have alerted users to a critical vulnerability in the CloudStack open source cloud infrastructure management software. All versions downloaded from the cloudstack.org site will be vulnerable. CloudStack is also an incubating Apache project but there have been no official releases from Apache of that project. If users have taken the source from the Apache project, that software will be vulnerable.
Details of the issue were disclosed on Sunday; it appears that the system had a configuration issue which meant that any use could execute arbitrary CloudStack API calls such as deleting all the VMs in the system. A workaround, detailed in the various announcements, involves logging into the MySQL database that backs the system and setting a random password on the cloud.user account.
The Apache CloudStack code has been updated with a fix for the issue and it is believed that the issue should not affect any upcoming releases of the incubating Apache CloudStack project; version 4.0 has currently been frozen and a release candidate is expected soon.