Apache CloudStack API Call Execution

2012.10.11
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


Ogólna skala CVSS: 10/10
Znaczenie: 10/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

CVE-2012-4501: Apache CloudStack configuration vulnerability Severity: Critical Vendors: The Apache Software Foundation Citrix, Inc. Versions Affected: As no official releases have been made, this does not affect any official Apache CloudStack releases. Anybody using a version of CloudStack generated from the Apache CloudStack source tree prior to October 7th, 2012 will need to take the actions specified below. Please note this includes both Citrix CloudStack commercial and open-source, pre-ASF versions. Description: The CloudStack PPMC was notified of a configuration vulnerability that exists in development versions of the Apache Incubated CloudStack project. This vulnerability allows a malicious user to execute arbitrary CloudStack API calls. A malicious user could, for example, delete all VMs in the system. Addressing this issue is especially important for anybody using CloudStack in a public environment. Mitigation: 1) Login to the CloudStack Database via MySQL $ mysql -u cloud -p -h host-ip-address (enter password as prompted) 2) Disable the system user and set a random password: mysql> update cloud.user set password=RAND() where id=1; 3) Exit MySQL mysql> \q Alternatively, users can update to a version of CloudStack based on the git repository on or after October 7th, 2012. Credit: This issue was identified by Hugo Trippaers of Schuberg Philis.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top