-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability
CVSS v3: 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L) Vendors: The Apache Software Foundation Accelerite, Inc Versions affected: CloudStack versions 4.1 and newer are affected by this issue. Description: Apache CloudStack contains an API call[1] designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another (non-"root") CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn accessing their account and resources. Mitigation: Some users may be protected from this weakness already, if they have configured their commands.properties file to limit access to this api call from the integration API port, instead of general API port. This can be accomplished by setting registerUserKeys to 1. Users of Apache CloudStack version 4.9 whom are using the dynamic roles feature can delete the "Allow" rule for "registerUserKeys" for each non-administrator role under the Roles/Rules section of the user interface. Alternately, users of Apache CloudStack should upgrade to one of the following versions, based on which release they are currently using: 4.8.1.1, or 4.9.0.1. These versions contain only security updates, and no other functionality change. Full details about the security releases can be found at [2] Credit: This vulnerability was reported by Marc-Aurèle Brothier from Exoscale. 1: https://cloudstack.apache.org/api/apidocs-4.8/user/registerUserKeys.html 2: https://s.apache.org/qV5l -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJYEg0wAAoJEOom9N0pCN7SK2kP/jnhxB4u1wUaf32N2EWVbPur uv1CarrwkV7XDlmlmcBn2G7uitPO6hbDMf9z+ZB55d5pnc5EwMluUltWjwsa2ixm aMkqepr1wNIKZkJkPo8dlpoEHtqzv3WiY4i18TS7kUV8cjUuWe0UHB3Tj4QSSTAF CbuQhl3+xJ5S0aU2LV5buHrhbbPCpTBzK5p2NFP2Bq1YEjdh1vsXpeoJM1miKyb+ /gTt79SNDbTRmoy5zp2dtJ10nZFxW04gEAjGyV8JJlhDJhgQo3F9zVKbyIbGcDJ6 ZFJkl90EptO/ebePJ9LmV3uLYUMm21DzfcF/b2TwzaOmvIpVou0dSqqGBBsgiGbl OFm/7YRTbBDS6w5tFtUXta4LWWEBr3tyirB2X+Qi5Ctqw5HJSmhL2yyiPYtKKKpx pp3tOQw5oho/Qkm0Xt0ClpHfF+K5ndGWw7gbpwPdF+XpsCPciuM7LhhI1db67Azu eY9O69fY4daX4QsppT+cBX1Yc47ZTwHJvVCSvUQLr7KHBuxCF62S52i92bknE06F WsRlNZT8HzBMI82PImVLCreO0Eh7QgouWsDoadqeCGQw97FBXF3aLkSji90hLy6y DO6ucUKqRwtGP9orhCB7fsK4SKFYCy4xwIUMPxY3SHahiruZEV/II8GrptyOWWLV 0K9uAQryK2GZ3Nmml1r4 =o0kf -----END PGP SIGNATURE-----