Apache CloudStack Multiple vulnerabilities

2013.04.25
Risk: High
Local: No
Remote: Yes
CWE: N/A

Product: Apache CloudStack Vendor: The Apache Software Foundation CVE References: CVE-2013-2756, CVE-2013-2758 Vulnerability Type(s): Authentication bypass (2756), cryptography (2758) Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and 4.0.1-incubating Risk Level: High, Medium CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3 (AV:A/AC:H/Au:N/CI:P/I:P/A:P) Description: The CloudStack PMC was notified of two issues found in Apache CloudStack: 1) An attacker with knowledge of CloudStack source code could gain unauthorized access to the console of another tenant's VM. 2) Insecure hash values may lead to information disclosure. URLs generated by Apache CloudStack to provide console access to virtual machines contained a hash of a predictable sequence, the hash of which was generated with a weak algorithm. While not easy to leverage, this may allow a malicious user to gain unauthorized console access. Mitigation: Updating to Apache CloudStack versions 4.0.2 or higher will mitigate these vulnerabilities. Credit: These issues were identified by Wolfram Schlich and Mathijs Schmittmann to the Citrix security team, who in turn notified the Apache CloudStack PMC.

References:

http://seclists.org/fulldisclosure/2013/Apr/239


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top