CVE-2012-4501: Apache CloudStack configuration vulnerability
The Apache Software Foundation
As no official releases have been made, this does not affect any
official Apache CloudStack releases.
Anybody using a version of CloudStack generated from the Apache
CloudStack source tree prior to October 7th, 2012 will need to take
the actions specified below. Please note this includes both Citrix
CloudStack commercial and open-source, pre-ASF versions.
The CloudStack PPMC was notified of a configuration vulnerability that
exists in development versions of the Apache Incubated CloudStack
project. This vulnerability allows a malicious user to execute
arbitrary CloudStack API calls. A malicious user could, for example,
delete all VMs in the system.
Addressing this issue is especially important for anybody using
CloudStack in a public environment.
1) Login to the CloudStack Database via MySQL
$ mysql -u cloud -p -h host-ip-address
(enter password as prompted)
2) Disable the system user and set a random password:
mysql> update cloud.user set password=RAND() where id=1;
3) Exit MySQL
Alternatively, users can update to a version of CloudStack based on
the git repository on or after October 7th, 2012.
This issue was identified by Hugo Trippaers of Schuberg Philis.