CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability

[John Kinsella]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability

CVSS v3:
9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L)

Vendors:
The Apache Software Foundation
Accelerite, Inc

Versions affected:
CloudStack versions 4.1 and newer are affected by this issue.

Description:
Apache CloudStack contains an API call[1] designed to allow a user
to register for the developer API.  If a malicious user is able to
determine the ID of another (non-"root") CloudStack user, the
malicious user may be able to reset the API keys for the other user,
in turn accessing their account and resources.

Mitigation:
Some users may be protected from this weakness already, if they
have configured their commands.properties file to limit access to
this api call from the integration API port, instead of general API
port. This can be accomplished by setting registerUserKeys to 1.

Users of Apache CloudStack version 4.9 whom are using the dynamic
roles feature can delete the "Allow" rule for "registerUserKeys"
for each non-administrator role under the Roles/Rules section of
the user interface.

Alternately, users of Apache CloudStack should upgrade to one of
the following versions, based on which release they are currently
using: 4.8.1.1, or 4.9.0.1. These versions contain only security
updates, and no other functionality change. Full details about the
security releases can be found at [2]

Credit:
This vulnerability was reported by Marc-Aurèle Brothier from Exoscale.

1: https://cloudstack.apache.org/api/apidocs-4.8/user/registerUserKeys.html
2: https://s.apache.org/qV5l
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJYEg0wAAoJEOom9N0pCN7SK2kP/jnhxB4u1wUaf32N2EWVbPur
uv1CarrwkV7XDlmlmcBn2G7uitPO6hbDMf9z+ZB55d5pnc5EwMluUltWjwsa2ixm
aMkqepr1wNIKZkJkPo8dlpoEHtqzv3WiY4i18TS7kUV8cjUuWe0UHB3Tj4QSSTAF
CbuQhl3+xJ5S0aU2LV5buHrhbbPCpTBzK5p2NFP2Bq1YEjdh1vsXpeoJM1miKyb+
/gTt79SNDbTRmoy5zp2dtJ10nZFxW04gEAjGyV8JJlhDJhgQo3F9zVKbyIbGcDJ6
ZFJkl90EptO/ebePJ9LmV3uLYUMm21DzfcF/b2TwzaOmvIpVou0dSqqGBBsgiGbl
OFm/7YRTbBDS6w5tFtUXta4LWWEBr3tyirB2X+Qi5Ctqw5HJSmhL2yyiPYtKKKpx
pp3tOQw5oho/Qkm0Xt0ClpHfF+K5ndGWw7gbpwPdF+XpsCPciuM7LhhI1db67Azu
eY9O69fY4daX4QsppT+cBX1Yc47ZTwHJvVCSvUQLr7KHBuxCF62S52i92bknE06F
WsRlNZT8HzBMI82PImVLCreO0Eh7QgouWsDoadqeCGQw97FBXF3aLkSji90hLy6y
DO6ucUKqRwtGP9orhCB7fsK4SKFYCy4xwIUMPxY3SHahiruZEV/II8GrptyOWWLV
0K9uAQryK2GZ3Nmml1r4
=o0kf
-END PGP SIGNATURE-

CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

[John Kinsella]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

CVSS v2:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Vendors:
The Apache Software Foundation
Accelerite, Inc

Versions affected:
CloudStack versions 4.5.0 and newer

Description:
Apache CloudStack contains an authentication module providing “single
sign-on” functionality via the SAML data format. Under certain
conditions, a user could manage to access the user interface without
providing proper credentials. As the SAML plugin is disabled by
default, this issue only affects installations that have enabled
and use SAML-based authentication.

Mitigation:
Users of Apache CloudStack using the SAML plugin should upgrade to
one of the following versions, based on which release they are
currently using: 4.5.2.1, 4.6.2.1, 4.7.1.1, or 4.8.0.1. These
versions contain only security updates, and no other functionality
change.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJXWNuFAAoJEOom9N0pCN7Sw8EP/0Q5YgomRGEocod2Cmlfd/E9
JKSBdt38hTclPXcdi3w/1Fq88l54erfHuPLPJObpsIR/vQGiOU0K9KkaO5jYDHtR
uFzb37PDzkR/x0tpfOvl1LqWOl89dSjF0qNAB8gi5ThqSWhBst70bjq0bR1aFxXx
I05JzZgD4eye+3tYRcVoFPOkbP7E5pWFtPo9LKUdRL4bfSwskB7d5MOGUoBMQfBb
vuMp7BikT3kMU7kiXNHKMCdd24iAQeiMOocZo7fPn70DiKANqLzinLxlWZHrd4Lh
IPO/m35s52tIVFxXAIF5N7ThAhOCoqQykxykCAgZN1Wi5444/bBJ/ppaP3StWq8i
gRTPzVYbniCTUfG4ynGZIwLwdDJxMb4M1kBdT3lpQWRhq24vE7/xSPANy8ipegvw
rZ8EYS0b0Ud4Bx60+L3rCMBJAwlSaddX/DDHaYUU8hxT5NRoK0eiWf9p4jd40Ob4
BYM/9mi4tv4Wq6tIEqSZfVMdNKgY3+0oBP5HEhEmXSk9Th0rNLySB7Xpix7dC5iF
4I0kpki8BFirE6rBGiKNARdXZJ9QTUTUG/wk1Ndgoe4kJG3PtR6PuY9DAWomqecz
aF/tmyIZXLeVEyZrS1rKLPlIjRHarALoQgB0Ln+UAhS0oyVJ5LrR4Ie70UDCMRNv
rNjki8AjTUnQarsp14lT
=+Tpv
-END PGP SIGNATURE-

Re: glibc vulnerable (CVE-2015-7547)

[John Kinsella]

We (ACS security team) are aware of the glibc vulnerability, and yes a 
vulnerable version exists in the current supported version of the system VM 
image. The question though, which I’ve been trying to figure out is does the 
code running on the secondary storage VM, console proxy, or virtual router 
actually call the vulnerable code, and do so in a manner which a malicious 
party could leverage the vulnerability on the VM in a usable way.

Basically a malicious user would have to compromise the DNS resolver that the 
System VM uses for DNS resolution, and then get System VM to execute 
(basically) a reverse DNS lookup to that compromised DNS server. I don’t think 
the chance of this is significant.

All that said, best move right now is probably to update glibc if you can do so.

In the future, I’d ask if you have questions about security-related issues with 
CloudStack, to contact secur...@cloudstack.apache.org. Once we have a solid 
feel on this in the coming days, we’ll put out a blog post and/or update.

John

> On Feb 22, 2016, at 7:00 AM, Stephan Seitz 
>  wrote:
> 
> 
>> is the latest system vm template vulnerable to CVE-2015-7547 
>> (https://security-tracker.debian.org/tracker/CVE-2015-7547)?
>> I cannot find anything about it in the mailinglist and/or CS page.
> 
> If you ssh into the system-VMs, you'll find the vulnurable version of
> libc.
> 
> to mitigate this, we've updated the libc (and only the installed
> libc-packages) in the running system-VMs and rebooted them.
> 
> Additionally, we've updated the libc in the respective template.
> Since we're using XenServer, thats a vhd located at the 2nd. storage,
> which we've chroot'ed into, using blktap2, kpartx and mount.
> 
> cheers,
> 
> - Stephan
> 
> 
> 
> 

Re: HTTPS for console VM, without the wildcard DNS

[John Kinsella]

You could probably hack this - if you only provided enough IPs for your System 
VMs so that it’s IP wouldn’t change, you could register the SSL cert for that 
specific FQDN.

Seems like it should be possible to have the console proxy run in http-only, 
then put an TLS endpoint in front of it (haproxy, netscaler etc) but I suspect 
a few code tweaks would be necessary.

But no, no good out-of-the box solution.

John

> On Feb 19, 2016, at 8:38 AM, Nux!  wrote:
> 
> So there's no way around it, thanks Stephan. :-)
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> - Original Message -
>> From: "Stephan Seitz" 
>> To: users@cloudstack.apache.org
>> Sent: Friday, 19 February, 2016 16:21:37
>> Subject: Re: HTTPS for console VM, without the wildcard DNS
> 
>> Hi,
>> 
>> well, one could manage huge hosts-files ;)
>> 
>> but seriously, you just need a dns-name / wildcard-certificate for a
>> domain you trust. If your customers trust your certificate AND your dns
>> - maybe because of dnssec - you don't need that for every customer.
>> 
>> To keep things off our full-featured nameservers, we did a
>> zone-delegation for a cloud-subdomain.domain.tld to a small bind which
>> holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
>> A-Records.
>> This took us maybe one hour and a 3-liner in bash.
>> 
>> cheers,
>> 
>> - Stephan
>> 
>> Am Freitag, den 19.02.2016, 16:07 + schrieb Nux!:
>>> Hi,
>>> 
>>> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a
>>> wildcard certificate to match that.
>>> Is there no other way to enable SSL without the wildcard DNS bit?
>>> It adds a bit of overhead having to setup DNS infra for the customer just so
>>> he's able to securely access his cloud.
>>> 
>>> 
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>> 
>>> Nux!
>>> www.nux.ro

Re: No Key

[John Kinsella]

If you look at Shapeblue’s package page[1] they indeed do use GPG keys on their 
packages, and the page shows how to set that up.

Look under section "Configuring Repository for RPM based platforms"

John

1:http://www.shapeblue.com/packages/

> On Feb 4, 2016, at 2:00 AM, Mohd Zainal Abidin Rabani  
> wrote:
> 
> Hi,
> 
> I'm getting this error using yum:
> 
> Public key for cloudstack-management-4.6.2-shapeblue0.el7.centos.x86_64.rpm 
> is not installed
> 
> -
> Regards,
> Mohd Zainal Abidin Rabani
> Technical Support
> 
> ModernOne Data Solutions Sdn. Bhd.(1119382-D)
> No. 83-2, Jalan TKS 1,
> Kajang Sentral, 43000 Kajang, Selangor.
> T : 03-8737 0030 | F : 03-8737 0070
> E : zai...@nocser.net
> W : www.modern.com.my | www.nocser.net

Two late-announced security advisories

[John Kinsella]

Folks - I just sent out 2 security advisories that should have been sent out 
several months ago - luckily the ASF security team was aware of them and 
prodded the ACS security team as to what was up. Earlier today I realized the 
announcements hadn’t gone out, so they were just sent.

I just put up a blog post[1] explaining how this happened and what we’re going 
to do in the future to minimize the chance of it happening again.

If folks have further questions about the advisories or the mixup in posting 
them, I’m happy to discuss privately or on-list.

With apologies...

John
1: 
https://blogs.apache.org/cloudstack/entry/two_late_announced_security_advisories

CVE-2015-3252: Apache CloudStack VNC authentication issue

[John Kinsella]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

CVE-2015-3252: Apache CloudStack VNC authentication issue

CVSS v2:
4.3 (AV:N/AC:H/Au:M/C:P/I:P/A:P)

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.4.4, 4.5.1

Description:
Apache CloudStack sets a VNC password unique to each KVM virtual
machine under management. Upon migrating a VM from one host to
another, the VNC password is no longer set in KVM on the new host.

To leverage this issue, an attacker would need to have network
access to a CloudStack host to be able to connect via VNC directly.

Mitigation:
Users of Apache CloudStack and derivatives should ensure their hosts
are behind network firewalls, and should update to least version
4.5.2 or 4.6.0, depending on which tree is being used.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJWs/dCAAoJELAo8zo1KBbtsX8QAMf2s9OIY3FTbMbTIo/LBmLa
rOOE46SBcmypN1TCHKW0K9etymieI58CPX9LHNdtZcAMa1khl4uo/Euz0wGu0zZZ
awXahXEKUkLSTQDDYJP+8TmKvnIan/mYXRvPEHi2bMCtQ+CjY5qvcge9wXpFDKty
B3LP9n/zYDkQCvBLmjPuqIM+B4JXT9q/e3LsVQHrjhBxheY26CMrSRZ/aLxmzxbh
SSNs4oMZhLEPHoSt/lWsHYd/HxJ/eEjyQunP0UpO5d5/RZypYllPHcbaFPqtC4uK
55VB3JGyPiSEpxbbWEAqrPlOwCU9yNhRXnjdf3gc360NtdjncY1R49+VvUc6C+6u
FqPmy5LFja5uQ1w6/VDdwoT9GeBL9rooMFsLgRpv+FCKPYEtvvIbvot45xA5TCAi
MoU7RjYZoWHTmXLYcQOSSzFnySjLVqdrIL6fgu4gpehB/Od+sV+dwaKM/l03Ml8S
mTerjUNkG2e+pNuWk703aLv4YrKv63T2ga8Nli00BYSyzsxDupd+0XmBzvsLPCMY
uEbxBVVFSpIJMtTacBNgRQGFEQVh+DxPgDaXoZ6RFU/QKVZuWAq85qVEcbDjf8bM
0C6D3f5uXaFaXm4ff1FZ/s/4YOj4rm5EyawrM+Me218+PKMJPHzvsL8y10GCj1T8
s1S77QqgKhqFc+98Z1m3
=OY+T
-END PGP SIGNATURE-

CVE-2015-3251: Apache CloudStack VM Credential Exposure

[John Kinsella]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

CVE-2015-3251: Apache CloudStack VM Credential Exposure

CVSS v2:
6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.4.4, 4.5.1

Description:
Apache CloudStack provides an API for managing network, compute,
storage, and user aspects of a CloudStack cloud. Under certain
circumstances, the results of certain API calls may expose the root
password for a virtual machine related to an API call.

This exposure only happens when the API calls of concern are
authenticated with CloudStack's "root" or "domain administrator"
level users.

Mitigation:
Users of Apache CloudStack should update to at least 4.5.2 or 4.6.0.
Additionally ensure non-administrative users do not have root or
domain-administrator level accounts.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJWs/YVAAoJELAo8zo1KBbt+wwP/37SL6e157Hil+unxdV2eqIv
swtRKbEAn6EHRU8xbN+nX/CqbRoonNY8xRAh2R3t6qMjvQwma+fNjKYrQRY476Vr
m4pib/zBf10/lvb2oLppMPMDuAA0ri24UCD/iGS+9aRq72nphDudgxAHHySo9xki
MyJM7Pih+2DkBAbBkQfgxq3juIIc6kgTfdQnKDTrCAMqrD5hSAEjWkfdoKdaRBwn
iMnueNcu0TAyUFpFKz/mbKX4K1ZN7CKykhWGzZI3CO5Cze9u7HfbuqI4Dh2YOWIR
94dQHcGUEAg6d4laL/R0k2PsWSKAjhlwrATC7Th1+N4JR67SxskM9zNDpi7qU7zp
DKqXHbgJ32KH1V0jD/aoGFEgsusUzuJ9yNRX3Mr4TVyfPmTzN1w/NtKl/tqJidba
Mxv8KJFTtOY5OnuD01tnoLIUPXxQcw6uS0Zoqg8ns0TqkdTCW5BmnhLfNfIb9dlp
/zYNl/wFKGv68x6YZmWme6bXNg7l1KKYnK0Yb6Po7JX6k94/vAsMTsPkgdGjTq7L
HqdnwvAAiqEloWZe8trrzMqSRdr6TKhSTWqN3yWaMqQEml/VakCDYGrdd+rDdp/P
++zqLsDUXTaTsipYM/e/oipRtRcHa/TXxERMcH0S4R2rId2mk6X2fyHGoar7p/oG
/Ef3ZKcqB6rxdzKYLEV7
=t8DZ
-END PGP SIGNATURE-

Re: gpg verification: missing key 0EE3D884

[John Kinsella]

Just to confirm…

$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: Signature made Wed Aug 19 02:13:04 2015 PDT using RSA key ID 0EE3D884
gpg: Good signature from "Rohit Yadav (CODE SIGNING KEY) 
mailto:bhais...@apache.org>>”

Thanks!

On Nov 18, 2015, at 11:52 PM, Rohit Yadav 
mailto:rohit.ya...@shapeblue.com>> wrote:

Hi John and Udo,

Thanks for bringing this to attention. I’m unsure how I missed this but updated 
the KEYS file now.

Regards.

On 17-Nov-2015, at 5:28 AM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Rohit - looks like your key isn’t in 
https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?

On Nov 16, 2015, at 3:43 PM, Udo Rader 
mailto:list...@bestsolution.at>> wrote:

Hi,

I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
download using gpg, but gpg tells me that the used key is unknown:

[udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
0EE3D884
gpg: Can't check signature: public key not found

So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
am I missing something?

Regards

Udo


Regards,
Rohit Yadav
Software Architect, ShapeBlue





M. +91 88 262 30892 | 
rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software 
Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure 
Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company 
registered by The Republic of South Africa and is traded under license from 
Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: gpg verification: missing key 0EE3D884

[John Kinsella]

No apologies. :)

> On Nov 17, 2015, at 11:33 AM, Udo Rader  wrote:
> 
> sorry for the noise & being probably paranoid here, but I've once had to
> deal with compromized source code (proftpd) and I promised myself to
> cross check as much as I can ...
> 
> On 11/17/2015 06:35 PM, John Kinsella wrote:
>> Thanks.
>> 
>> Rohit’s out sick, but I’ve reached out to coworkers to see when we can get 
>> that straightened out.  I’m confident it’s not a security risk, but will 
>> update once we can confirm that.
>> 
>> John
>> 
>>> On Nov 17, 2015, at 9:12 AM, Udo Rader  wrote:
>>> 
>>> created a jira issue for this
>>> https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ...
>>> 
>>> On 11/17/2015 12:58 AM, John Kinsella wrote:
>>>> Rohit - looks like your key isn’t in 
>>>> https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
>>>> 
>>>> On Nov 16, 2015, at 3:43 PM, Udo Rader 
>>>> mailto:list...@bestsolution.at>> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
>>>> download using gpg, but gpg tells me that the used key is unknown:
>>>> 
>>>> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
>>>> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
>>>> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
>>>> 0EE3D884
>>>> gpg: Can't check signature: public key not found
>>>> 
>>>> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
>>>> am I missing something?
>>>> 
>>>> Regards
>>>> 
>>>> Udo
>>>> 
>> 

Re: gpg verification: missing key 0EE3D884

[John Kinsella]

Thanks.

Rohit’s out sick, but I’ve reached out to coworkers to see when we can get that 
straightened out.  I’m confident it’s not a security risk, but will update once 
we can confirm that.

John

> On Nov 17, 2015, at 9:12 AM, Udo Rader  wrote:
> 
> created a jira issue for this
> https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ...
> 
> On 11/17/2015 12:58 AM, John Kinsella wrote:
>> Rohit - looks like your key isn’t in 
>> https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
>> 
>> On Nov 16, 2015, at 3:43 PM, Udo Rader 
>> mailto:list...@bestsolution.at>> wrote:
>> 
>> Hi,
>> 
>> I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
>> download using gpg, but gpg tells me that the used key is unknown:
>> 
>> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
>> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
>> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
>> 0EE3D884
>> gpg: Can't check signature: public key not found
>> 
>> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
>> am I missing something?
>> 
>> Regards
>> 
>> Udo
>> 

Re: gpg verification: missing key 0EE3D884

[John Kinsella]

Rohit - looks like your key isn’t in 
https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?

On Nov 16, 2015, at 3:43 PM, Udo Rader 
mailto:list...@bestsolution.at>> wrote:

Hi,

I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
download using gpg, but gpg tells me that the used key is unknown:

[udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
0EE3D884
gpg: Can't check signature: public key not found

So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
am I missing something?

Regards

Udo

Re: cloudstack vulnerable by COLLECTIONS-580?

[John Kinsella]

Thanks for sending this, Rene. In the future, please send issues like this to 
secur...@cloudstack.apache.org.

We’re looking things over, and will have further comments after review.

John

On Nov 10, 2015, at 6:07 AM, Rene Moser 
mailto:m...@renemoser.net>> wrote:

Hi

This security issue came to my attention:
https://issues.apache.org/jira/browse/COLLECTIONS-580

See
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
for more background information.

I am not sure if cloudstack is affected, at least we have dependency to
this vulnerable lib:

$ grep -Rl InvokerTransformer .
./plugins/hypervisors/kvm/target/dependencies/commons-collections-3.2.1.jar
./client/target/cloud-client-ui-4.5.2.war
./client/target/cloud-client-ui-4.5.2/WEB-INF/lib/commons-collections-3.2.1.jar
./usage/target/dependencies/commons-collections-3.2.1.jar
./agent/target/dependencies/commons-collections-3.2.jar
./engine/service/target/engine/WEB-INF/lib/commons-collections-3.2.jar

Thanks for clarification.

Yours
René

Xen security issue

[John Kinsella]

Folks running paravirtualized VMs on Xen (3.4 and newer) hosts need to patch to 
protect against a new vulnerability that allows an admin in a VM to escape up 
to the host:

http://xenbits.xen.org/xsa/advisory-148.html

John

Stratosec - Secure Finance and Heathcare Clouds
http://stratosec.co
o: 415.315.9385
@johnlkinsella

Re: openssl/cloudstack

[John Kinsella]

Update - looks like there’s no exposure to the vulnerability for us. The Debian 
images we use do not use a vulnerable version of OpenSSL.

Thanks for the patience!

John

On Jul 10, 2015, at 10:19 AM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Folks - just put up a brief blog post about the latest OpenSSL issue and how 
that affects CloudStack. Long story short - we think it does, but are verifying 
that. Hopefully will have an update by the end of the day.

https://blogs.apache.org/cloudstack/entry/cloudstack_and_openssl_cve_2015

Will update here and on the blog/twitters as we know more.

John

openssl/cloudstack

[John Kinsella]

Folks - just put up a brief blog post about the latest OpenSSL issue and how 
that affects CloudStack. Long story short - we think it does, but are verifying 
that. Hopefully will have an update by the end of the day.

https://blogs.apache.org/cloudstack/entry/cloudstack_and_openssl_cve_2015

Will update here and on the blog/twitters as we know more.

John

Re: New SSL vulnerability #FREAK

[John Kinsella]

Thanks for confirmation, Eric

Pardon any typos - sent from mobile device
Stratosec
o: 415.315.9385
@johnlkinsella

On Mar 3, 2015, at 10:59 PM, Erik Weber 
mailto:terbol...@gmail.com>> wrote:

On Wed, Mar 4, 2015 at 2:21 AM, Nux! mailto:n...@li.nux.ro>> 
wrote:

https://freakattack.com/

That time of the month again. Secure your stuff, folks.


Tried against the SSVM on a CCP 4.3.2 installation, with updated system vm
template (think it was Beast or shellshock).
Does not export the mentioned ciphers.

--
Erik

Re: New SSL vulnerability #FREAK

[John Kinsella]

I don't *think* ACS is vulnerable, but haven't gotten a chance to confirm that 
yet. 

Excuse any typos - sent from mobile device

> On Mar 3, 2015, at 17:23, Nux!  wrote:
> 
> https://freakattack.com/
> 
> That time of the month again. Secure your stuff, folks.
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro

Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sth

[John Kinsella]

FYI the blog post mentioned below now has links to updated SSVM templates.

> On Jan 28, 2015, at 11:49 AM, John Kinsella  wrote:
> 
> Folks - just posted mitigation details at [1]. An updated SSVM template is 
> being QAed, once released the post will be updated with links and we’ll 
> mention here as well.
> 
> John
> 1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc
> 
> On Jan 28, 2015, at 4:55 AM, Rohit Yadav 
> mailto:rohit.ya...@shapeblue.com>> wrote:
> 
> Hi,
> 
> While it's a general public news, everyone is requested and encouraged
> to use the security mailing list in future to report anything. For more
> details please read: http://cloudstack.apache.org/security.html
> 
> Thanks and regards.
> 
> On Wednesday 28 January 2015 03:34 PM, 
> linux...@gmail.com<mailto:linux...@gmail.com> wrote:
> A critical vulnerability has been found in glibc, the GNU C library,
> that affects all Linux systems dating back to 2000. Attackers can use
> this flaw to execute code and remotely gain control of Linux machines.
> 
> The issue stems from a heap-based buffer overflow found in the
> __nss_hostname_digits_dots() function in glibc. That particular
> function is used by the _gethostbyname function calls.
> 
> Related Posts
> 
> Shellshock Worm Exploiting Unpatched QNAP NAS Devices
> 
> December 15, 2014 , 11:35 am
> 
> Linux Modules Connected to Turla APT Discovered
> 
> December 9, 2014 , 10:26 am
> 
> Bash Exploit Reported, First Round of Patches Incomplete
> 
> September 25, 2014 , 11:41 am
> 
> “A remote attacker able to make an application call either of these
> functions could use this flaw to execute arbitrary code with the
> permissions of the user running the application,” said an advisory
> from Linux distributor Red Hat.
> 
> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
> because of its relation to the _gethostbyname function. Researchers at
> Qualys discovered the flaw, and say it goes back to glibc version 2.2
> in Linux systems published in November 2000.
> 
> According to Qualys, there is a mitigation for this issue that was
> published May 21, 2013 between patch glibc-2.17 versions and
> glibc-2.18.
> 
> “Unfortunately, it was not recognized as a security threat; as a
> result, most stable and long-term-support distributions were left
> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
> Qualys posted to the OSS-Security mailing list.
> 
> Respective Linux distributions will be releasing patches; Red Hat has
> released an update for Red Hat Enterprise Linux v.5 server. Novell has
> a list of SUSE Linux Enterprise Server builds affected by the
> vulnerability. Debian has already released an update of its software
> addressing the vulnerability.
> 
> “It’s everywhere, which is kind of the urgency we have here. This has
> been in glibc for a long time. It was fixed recently, but it was not
> marked as a security issue, so things that are fairly new should be
> OK,” said Josh Bressers, a member of the Red Hat security response
> team. “From a threat level, what it comes down to is a handful of
> stuff that’s probably dangerous that uses this function.”
> 
> Unlike past Internet-wide bugs such as Bash, patching glibc may not be
> the chore it was with Bash since so many components made silent Bash
> calls.
> 
> “In this instance, you just apply the glibc update, and restart any
> services that are vulnerable,” Bressers said. “It’s not confusing like
> Shellshock was.”
> 
> Qualys, in its advisory, not only shares extremely in-depth technical
> information on the vulnerability, but also includes a section
> explaining exploitation of the Exim SMTP mail server. The advisory
> demonstrates how to bypass NX, or No-eXecute protection as well as
> glibc malloc hardening, Qualys said.
> 
> Qualys also said that in addition to the 2013 patch, other factors
> mitigate the impact of the vulnerability, including the fact that the
> gethostbyname functions are obsolete because of IPv6 and newer
> applications using a different call, getaddrinfo(). While the flaw is
> also exploitable locally, this scenario too is mitigated because many
> programs rely on gethostbyname only if another preliminary call fails
> and a secondary call succeeds in order to reach the overflow. The
> advisory said this is “impossible” and those programs are safe.
> 
> There are mitigations against remote exploitation too, Qualys said.
> Servers, for example, use gethostbyname to perform full-circle reverse
> DNS checks. “These programs are generally safe because the ho

Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sth

[John Kinsella]

Folks - just posted mitigation details at [1]. An updated SSVM template is 
being QAed, once released the post will be updated with links and we’ll mention 
here as well.

John
1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc

On Jan 28, 2015, at 4:55 AM, Rohit Yadav 
mailto:rohit.ya...@shapeblue.com>> wrote:

Hi,

While it's a general public news, everyone is requested and encouraged
to use the security mailing list in future to report anything. For more
details please read: http://cloudstack.apache.org/security.html

Thanks and regards.

On Wednesday 28 January 2015 03:34 PM, 
linux...@gmail.com wrote:
A critical vulnerability has been found in glibc, the GNU C library,
that affects all Linux systems dating back to 2000. Attackers can use
this flaw to execute code and remotely gain control of Linux machines.

The issue stems from a heap-based buffer overflow found in the
__nss_hostname_digits_dots() function in glibc. That particular
function is used by the _gethostbyname function calls.

Related Posts

Shellshock Worm Exploiting Unpatched QNAP NAS Devices

December 15, 2014 , 11:35 am

Linux Modules Connected to Turla APT Discovered

December 9, 2014 , 10:26 am

Bash Exploit Reported, First Round of Patches Incomplete

September 25, 2014 , 11:41 am

“A remote attacker able to make an application call either of these
functions could use this flaw to execute arbitrary code with the
permissions of the user running the application,” said an advisory
from Linux distributor Red Hat.

The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
because of its relation to the _gethostbyname function. Researchers at
Qualys discovered the flaw, and say it goes back to glibc version 2.2
in Linux systems published in November 2000.

According to Qualys, there is a mitigation for this issue that was
published May 21, 2013 between patch glibc-2.17 versions and
glibc-2.18.

“Unfortunately, it was not recognized as a security threat; as a
result, most stable and long-term-support distributions were left
exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
& 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
Qualys posted to the OSS-Security mailing list.

Respective Linux distributions will be releasing patches; Red Hat has
released an update for Red Hat Enterprise Linux v.5 server. Novell has
a list of SUSE Linux Enterprise Server builds affected by the
vulnerability. Debian has already released an update of its software
addressing the vulnerability.

“It’s everywhere, which is kind of the urgency we have here. This has
been in glibc for a long time. It was fixed recently, but it was not
marked as a security issue, so things that are fairly new should be
OK,” said Josh Bressers, a member of the Red Hat security response
team. “From a threat level, what it comes down to is a handful of
stuff that’s probably dangerous that uses this function.”

Unlike past Internet-wide bugs such as Bash, patching glibc may not be
the chore it was with Bash since so many components made silent Bash
calls.

“In this instance, you just apply the glibc update, and restart any
services that are vulnerable,” Bressers said. “It’s not confusing like
Shellshock was.”

Qualys, in its advisory, not only shares extremely in-depth technical
information on the vulnerability, but also includes a section
explaining exploitation of the Exim SMTP mail server. The advisory
demonstrates how to bypass NX, or No-eXecute protection as well as
glibc malloc hardening, Qualys said.

Qualys also said that in addition to the 2013 patch, other factors
mitigate the impact of the vulnerability, including the fact that the
gethostbyname functions are obsolete because of IPv6 and newer
applications using a different call, getaddrinfo(). While the flaw is
also exploitable locally, this scenario too is mitigated because many
programs rely on gethostbyname only if another preliminary call fails
and a secondary call succeeds in order to reach the overflow. The
advisory said this is “impossible” and those programs are safe.

There are mitigations against remote exploitation too, Qualys said.
Servers, for example, use gethostbyname to perform full-circle reverse
DNS checks. “These programs are generally safe because the hostname
passed to gethostbyname() has normally been pre-validated by DNS
software,” the advisory.

“It’s not looking like a huge remote problem, right now,” Bressers said.

However, while the bug may have been dormant since 2000, there is no
way to tell if criminals or government-sponsored hackers have been
exploiting this vulnerability. Nor is there any way to tell what will
happen once legitimate security researchers—and black hats—begin
looking at the vulnerability now that it’s out in the open. With Bash,
for example, it didn’t take long for additional security issues to
rise to the surface.

- See more at: 
https://threatpost.com/ghost-glibc-remote-code-execut

Re: How to remove VM entry from CloudStack database?

[John Kinsella]

CloudStack doesn’t usually remove records from db tables. If you look t 
vm_instance (or many other tables in there) you’ll see three timestamp fields: 
created, update_time, and removed. So if you want to “remove” a 
vm/disk/nic/etc, you change the removed field from null to a timestamp, e.g.

UPDATE vm_instance SET removed=now() WHERE id=105;

John

> On Dec 11, 2014, at 11:31 PM, Vadim Kimlaychuk  
> wrote:
> 
> Tejas,
> 
>   "Stopped" and "Destroyed" are "visible" statuses of VM at dashboard as 
> well as "Expunding". You should put "Expunded" for the VM not to be visible.  
> Entirely removing the raw in DB is not good option. CS does not ever remove 
> data for VM-s being destroyed and expunded - they always remain at database.  
>  
> 
> Vadim.
> 
> -Original Message-
> From: Tejas Sheth [mailto:tshet...@gmail.com] 
> Sent: Friday, December 12, 2014 9:01 AM
> To: users@cloudstack.apache.org
> Subject: Re: How to remove VM entry from CloudStack database?
> 
> Hi,
> 
>  I have tried to change the vm_instance table state value to "Stopped" and 
> "Destroied" but i was nither able to start nor destroy vm. so finally i 
> removed entire row of that perticular VM and finally that VM was removed from 
> instance deshboard.
> 
> can anyone suggest that in order to complete cleanup activity do we need to 
> delete any other entry from anyother table?
> 
> Thanks,
> Tejas
> 
> On Fri, Dec 12, 2014 at 8:30 AM, Tejas Sheth  wrote:
>> 
>> Hello,
>> 
>>  Its not in production so i can test the DB modification, Let me try 
>> to modify VM entry from vm_instance table and I'll let you guyz know 
>> the result.
>> 
>> Thanks,
>> Tejas
>> 
>> On Fri, Dec 12, 2014 at 5:45 AM, Matthew Midgett < 
>> clouds...@trick-solutions.com.invalid> wrote:
>> 
>>> I have phpmyadmin running on my MariaDB server as I am no sql expert.
>>> Then is cloud > vm_instance and change the state be editing the row 
>>> for the VM ID that you need to Stopped, Destroyed or Expunging
>>> 
>>> Not responsible for your actions :)
>>> 
>>> Matthew Midgett
>>> Trick Solutions
>>> 143 Jenny Marie Rd
>>> Mooresville NC,28115
>>> 336-618-7425 Office
>>> 704-728-5644 Cell
>>> www.trick-solutions.com
>>> 
>>> CONFIDENTIAL: This electronic mail, including any attachment(s) may 
>>> contain information that is privileged, confidential, and/or 
>>> otherwise protected from disclosure to anyone other than its intended 
>>> recipient(s).
>>> Any dissemination or use of this electronic email or its contents 
>>> (including any attachments) by persons other than the intended 
>>> recipient(s) is strictly prohibited.  If you have received this 
>>> message in error, please notify me immediately by reply email so that 
>>> I may correct my internal records.  Please then delete the original 
>>> message (including any
>>> attachments) in its entirety.  Thank you.
>>> 
>>> 
>>> 
>>> -Original Message-
>>> From: Tejas Sheth [mailto:tshet...@gmail.com]
>>> Sent: Thursday, December 11, 2014 9:20 AM
>>> To: users@cloudstack.apache.org
>>> Subject: How to remove VM entry from cloudstack database?
>>> 
>>> Hello,
>>> 
>>>  I was tring migrate vm to another cluster using storage migration 
>>> option in Cloudstack 4.3.1.
>>> unfortuanatly now it got stuck at migrating stage and don't know how 
>>> to recover.
>>> 
>>> since it is test environment we can remove it from database.
>>> Does anyone knows how to cleanup VM entry from cloudstack and its 
>>> database?
>>> 
>>> Thanks,
>>> Tejas
>>> 
>>> 
>> 

Re: Desktop as a service

[John Kinsella]

I don’t know of a good OSS alternative to XenDesktop. From what I’ve seen on 
Cantivo’s site, no source was released and what was released hasn’t had an 
update in a few years. VCL I think of more for lab management than virtualized 
desktop orchestration. Spice itself looks like it has potential, but i haven’t 
looked deep enough to see how ready-to-go it is, maybe somebody else can chime 
in. I’m not aware of anybody working on Spice/ACS integration, yet.

John

> On Dec 9, 2014, at 11:37 AM, Tilak Raj Singh  wrote:
> 
> Hello John,
> 
> Thanks for your reply. Have looked at XenDesktop but I am looking for some
> open source alternative to this..Is there something else available for such
> tasks which can be used for both windows and Linux...
> I found a few alternatives like spice (http://www.spice-space.org/), apache
> VCL (http://vcl.apache.org/) and cantivo (http://cantivo.org/)
> I wished to know if any of these an be used with cloudstack? If yes then
> can someone please guide me how to do that?
> 
> Regards
> 
> On Tue, Dec 9, 2014 at 5:43 AM, John Kinsella  wrote:
> 
>> 
>>> On Dec 5, 2014, at 11:08 PM, Tilak Raj Singh  wrote:
>>> 
>>> Hello Everybody,
>>> 
>>> I am new to cloudstack so I dont know if I am going off the topic here. I
>>> wished to know how to setup Virtual Desktop Interface (VDI) using
>>> cloudstack. I browsed the net and found that openstack has the
>> capabilities
>>> to setup this feature. Does cloudstack can be used to deploy such a
>>> service? If yes some links for the same would be highly appreciated. Also
>>> if cloudstack does not have that capability then is there some
>> alternative
>>> to this?
>> 
>> Hi and welcome!  CloudStack can be used with Citrix XenDesktop and XenApp
>> to provide VDI services for users. It’s covered in the XenDesktop
>> install/setup docs (just replace CloudPlatform with CloudStack)
>> 
>>> Another thing I wanted to know is how to instantiate virtual machines
>>> automatically if the load is increased. Have read about load balancing
>> and
>>> I guess its regarding this only.
>> 
>> If you mean for VDI, XenDesktop can manage this once connected to
>> CloudStack. If you mean outside of that setup, the phrase you’re looking
>> for is “autoscaling.” Currently it works with either NetScaler load
>> balancers or XenServer virtualization.
>> 
>>> The architecture I wish to setup is to provide VDI to several users on
>>> demand via browsers, where the compute is done on the virtual machines.
>> Now
>>> when suppose 10 users are simultaneously using this Virtual Desktop the
>>> load on the VM increases so cloudstanck spawns another VM to share the
>> load
>>> of these 10 users to 5 each on these two VMs created. I hope my doubt is
>>> clear.
>> 
>> Yep - XenDesktop will do that for ya. :)
>> 
>> John

Re: Desktop as a service

[John Kinsella]

> On Dec 5, 2014, at 11:08 PM, Tilak Raj Singh  wrote:
> 
> Hello Everybody,
> 
> I am new to cloudstack so I dont know if I am going off the topic here. I
> wished to know how to setup Virtual Desktop Interface (VDI) using
> cloudstack. I browsed the net and found that openstack has the capabilities
> to setup this feature. Does cloudstack can be used to deploy such a
> service? If yes some links for the same would be highly appreciated. Also
> if cloudstack does not have that capability then is there some alternative
> to this?

Hi and welcome!  CloudStack can be used with Citrix XenDesktop and XenApp to 
provide VDI services for users. It’s covered in the XenDesktop install/setup 
docs (just replace CloudPlatform with CloudStack)

> Another thing I wanted to know is how to instantiate virtual machines
> automatically if the load is increased. Have read about load balancing and
> I guess its regarding this only.

If you mean for VDI, XenDesktop can manage this once connected to CloudStack. 
If you mean outside of that setup, the phrase you’re looking for is 
“autoscaling.” Currently it works with either NetScaler load balancers or 
XenServer virtualization.

> The architecture I wish to setup is to provide VDI to several users on
> demand via browsers, where the compute is done on the virtual machines. Now
> when suppose 10 users are simultaneously using this Virtual Desktop the
> load on the VM increases so cloudstanck spawns another VM to share the load
> of these 10 users to 5 each on these two VMs created. I hope my doubt is
> clear.

Yep - XenDesktop will do that for ya. :) 

John

[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds

[John Kinsella]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds

CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.3, 4.4

Description:
Apache CloudStack may be configured to authenticate LDAP users.
When so configured, it performs a simple LDAP bind with the name
and password provided by a user.  Simple LDAP binds are defined
with three mechanisms (RFC 4513): 1) username and password; 2)
unauthenticated if only a username is specified; and 3) anonymous
if neither username or password is specified.  Currently, Apache
CloudStack does not check if the password was provided which could
allow an attacker to bind as an unauthenticated user.

Mitigation:
Users of Apache CloudStack 4.4 and derivatives should update to the
latest version (4.4.2)

An updated release for Apache CloudStack 4.3.2 is in testing. Until
that is released, we recommend following the mitigation below:

By default, many LDAP servers are not configured to allow unauthenticated
binds.  If the LDAP server in use allow this behaviour, a potential
interim solution would be to consider disabling unauthenticated
binds.

Credit:
This issue was identified by the Citrix Security Team.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT
2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF
Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2
vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m
6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2
fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ
Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+
AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6
tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0
LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT
RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml
03DX+ot4Xan0P5HXPT+r
=QqOf
-END PGP SIGNATURE-

Re: [DISCUSS] CloudStack Future

[John Kinsella]

Ah, from that POV. Gotchya. I think also making it easier to develop the UI 
would help. Feels like a big black box to me, and probably to others…


On Sep 16, 2014, at 10:37 PM, Rohit Yadav 
mailto:rohit.ya...@shapeblue.com>> wrote:

So, most of the developers of CloudStack don’t use it as a user. If we dogfood, 
we make try to make it more user friendly and improve its UX over time.

Re: [DISCUSS] CloudStack Future

[John Kinsella]

I love seeing thoughts/actions around organizing. 

but… (Rohit, you keep doing good stuff and I keep popping up to be negative, 
sorry :) )

Can we do this within the ASF infrastructure? Trello is cool (I’ve used it 
internally in the past) but can’t we do this on a Confluence page? This allows 
folks to use existing ASF credentials to be part of the party.  If there’s 
major reasons (usability or otherwise) that we can’t, let us know them. I know 
at least Rohit likes the cool new toys (not meant in a bad way) and that ASF 
usually won’t have the cool new toys (also not meant in a bad way) but I think 
we’ll benefit from building our sand castles within the existing sandbox…

That said…

ACS demo appliance - let’s chat on this one, I’ve got the basics in place 
https://www.youtube.com/watch?v=Ql8eAO9rvQE I’ve been slowly gearing to push 
that to https://github.com/jlk/LiveCloud

“Aim for stable master” gives me a really big :( but I get it.

Under Development column, what’s “ET” ?

VM importer shouldn’t be in development - this needs to be in production 
releases.

Would like to see an expansion on “developer dogfooding” - e.g. develop within 
ACS VMs, or??

Keep running with this - I’d just rather see it happening on existing 
"old-school" technology that Rohit doesn’t like ;)

John

Also, I believe we have a Jira Aglie license, so if we really want to go down 
this path we can create agile/kanban stories/epics and do that whole thing.

On Sep 16, 2014, at 3:55 PM, Outback Dingo  wrote:

> Some of us would love to contribute, yet don't feel the requirement to
> sign-up for "sites" to simply post their feelings.
> That being said... heres mine in public.. remove the "dependency"
> on NFS as primary/secondary allow
> for more configurable storage options. Its one of the reasons why we
> dropped cloudstack. That and certain networking
> configuration requirements didn't fit our network topology.
> 
> On Wed, Sep 17, 2014 at 2:51 AM, Mike Tutkowski <
> mike.tutkow...@solidfire.com> wrote:
> 
>> Hi everyone,
>> 
>> First: Thanks to Rohit and Daan for working on this.
>> 
>> Next: Definitely feel free to e-mail ideas privately; however, I'd like to
>> especially encourage people to make their ideas known publicly, if you feel
>> comfortable doing this. Doing it publicly might make it easier for us as a
>> community to brainstorm the ideas and play around with taking them in
>> different directions.
>> 
>> Thanks!
>> Mike
>> 
>> On Tue, Sep 16, 2014 at 3:08 AM, Rohit Yadav 
>> wrote:
>> 
>>> Hi everyone,
>>> 
>>> Some of us are in Amsterdam and discussing various things we want to do
>>> for the project. I’ve aggregated some of them on a Trello board here:
>>> https://trello.com/b/nj8dDBWl/apache-cloudstack-future
>>> 
>>> Please share your ideas, publicly or private to me; I’ll add them on the
>>> board. Our main focus right now is testing, release quality and aligning
>>> efforts.
>>> 
>>> We’re now able to run simulator tests on TravisCI for 4.4 and master
>>> branches:
>>> https://travis-ci.org/apache/cloudstack/builds
>>> 
>>> Some of us are also experimenting with Github pull requests and we
>> already
>>> see that it’s encouraging to get TravisCI verify them.
>>> 
>>> Regards,
>>> Rohit Yadav
>>> Software Architect, ShapeBlue
>>> M. +41 779015219 | rohit.ya...@shapeblue.com
>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>> 
>>> Find out more about ShapeBlue and our range of CloudStack related
>> services
>>> 
>>> IaaS Cloud Design & Build<
>>> http://shapeblue.com/iaas-cloud-design-and-build//>
>>> CSForge – rapid IaaS deployment framework
>>> CloudStack Consulting
>>> CloudStack Infrastructure Support<
>>> http://shapeblue.com/cloudstack-infrastructure-support/>
>>> CloudStack Bootcamp Training Courses<
>>> http://shapeblue.com/cloudstack-training/>
>>> 
>>> This email and any attachments to it may be confidential and are intended
>>> solely for the use of the individual to whom it is addressed. Any views
>> or
>>> opinions expressed are solely those of the author and do not necessarily
>>> represent those of Shape Blue Ltd or related companies. If you are not
>> the
>>> intended recipient of this email, you must neither take any action based
>>> upon its contents, nor copy or show it to anyone. Please contact the
>> sender
>>> if you believe you have received this email in error. Shape Blue Ltd is a
>>> company incorporated in England & Wales. ShapeBlue Services India LLP is
>> a
>>> company incorporated in India and is operated under license from Shape
>> Blue
>>> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
>> Brasil
>>> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd
>> is
>>> a company registered by The Republic of South Africa and is traded under
>>> license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>>> 
>> 
>> 
>> 
>> --
>> *Mike Tutkowski*
>> *S

Re: assignVirtualMachine - Change domain (4.1.1)

[John Kinsella]

Yeah - that doesn’t work 100% - you’ll have to delete and re-create the fw 
rules, at least for advanced networking. Needs a tiny bit more refinement. :)

On Sep 9, 2014, at 3:42 PM, Nitin Mehta 
mailto:nitin.me...@citrix.com>> wrote:

Though I am averse to mucking around the db I know that John Kinsella
spoke about it recently in the Bay Area meet up.
Please find his slides (slide # 16) @
http://www.slideshare.net/jlkinsel/dont-break-the-glass

Thanks,
-Nitin

On 09/09/14 9:03 AM, "Ian Duffy"  wrote:

Hi All,

I'm wanting to use assignVirtualMachine to change the domain and account a
VM belongs to within Cloudstack.

Within version 4.1.1 this is not supported:
http://cloudstack.apache.org/docs/api/apidocs-4.1/root_admin/assignVirtual
Machine.html

Transferring ownership to any domain was only implemented in a later
release.

Has anybody got a database modification work around for this?

I'm looking at modifying the domain_id, domain_uuid, account_id,
account_name, account_type for both volume and instance. I haven't tested
this yet, but I would love to hear anybody elses experience.

Thanks,

Ian


Stratosec - Secure Finance and Heathcare Clouds
http://stratosec.co
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: Logging...

[John Kinsella]

On agents or mgmt server, edit /etc/cloudstack/*/log4j-cloud.xml

Look for lines that read similar to 

  

And change INFO to DEBUG

On Aug 25, 2014, at 2:00 PM, Michael Phillips  wrote:

> Seems the logging level in 4.4 has been toned down, how do you crank it up to 
> verbose levels?
> 

Re: Windows - KVM - Virtio

[John Kinsella]

Yes. Significant performance boost to run in PV with drivers

Please excuse typos - sent from mobile device.

- Reply message -
From: "Jochim, Ingo" 
To: "'users@cloudstack.apache.org'" 
Subject: Windows - KVM - Virtio
Date: Fri, May 16, 2014 4:28 PM

Hi all,

is there any need to install the virtio drivers on Windows clients running on 
KVM hypervisors?
It is not mentioned in the documentation.

Thanks,
Ingo

--
This email was Virus checked by Astaro Security Gateway. http://www.astaro.com

REMINDER realhostip going away

[John Kinsella]

Reminder, folks - please migrate off realhostip.com or you’re going to get a 
nasty surprise this summer. More info at link below.

https://blogs.apache.org/cloudstack/entry/realhostip_service_is_being_retired

Re: OpenSSL Flaw

[John Kinsella]

Sorry folks that I didn’t send it to this list. To be accurate, it’s a blog 
post not a press release. We’ll have a formal solution in a few more days.

https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

On Apr 9, 2014, at 5:19 AM, Antonio Packery 
mailto:antonio.pack...@t-systems.co.za>> wrote:

Here is the CloudStack press release,
How to Mitigate OpenSSL HeartBleed Vulnerability in Apache CloudStack

Wed Apr 09 2014 07:52:17 GMT+0200 (SAST)

Earlier this week, a security vulnerability was disclosed in OpenSSL, one of 
the software libraries that Apache CloudStack uses to encrypt data sent over 
network network connections. As the vulnerability has existed in OpenSSL since 
early 2012, System VMs in Apache CloudStack versions 4.0.0-incubating-4.3 are 
running software using vulnerable versions of OpenSSL. This includes 
CloudStack's Virtual Router VMs, Console Proxy VMs, and Secondary Storage VMs.

We are actively working on creating updated System VM templates for each recent 
version of Apache CloudStack, and for each of the hypervisor platforms which 
Apache CloudStack supports. Due to our testing and QA processes, this will take 
several days. In the meantime, we want to provide our users with a temporary 
workaround for currently running System VMs.

If you are running Apache CloudStack 4.0.0-incubating through the recent 4.3 
release, the the following steps will help ensure the security of your cloud 
infrastructure until an updated version of the System VM template is available:

1.  As an administrator in the CloudStack web UI, navigate to 
Infrastructure->System VMs
2.  For each System VM listed, note the host it is running on, and it's "Link 
Local IP address."
3.  With that data, perform the following steps for each System VM:
   *   ssh into that host as root
   *   From the host, ssh into the SSVM via it's link local IP address: (e.g. 
ssh -i /root/.ssh/id_rsa.cloud -p 3922 169.254.3.33)
   *   On the System VM, first run "apt-get update"
   *   Then run apt-get install openssl. If a dialog appears asking to restart 
programs, accept it's request.
   *   Next, for Secondary Storage VMs, run /etc/init.d/apache2 restart
   *   Log out of the System VM and host server
4.  Back in the CloudStack UI, now navigate to Infrastructure->Virtual Routers. 
For each VR, host it's running on and it's link local IP address, and then 
repeat steps a-f above.

We realize that for larger installations where System VMs are being actively 
created and destroyed based on customer demand, this is a very rough stop-gap. 
The Apache CloudStack security team is actively working on a more permanent fix 
and will be releasing that to the community as soon as possible.

For Apache CloudStack installations that secure the web-based user-interface 
with SSL, these may also be vulnerable to HeartBleed, but that is outside the 
scope of this blog post. We recommend testing your installation with [1] to 
determine if you need to patch/upgrade the SSL library used by any web servers 
(or other SSL-based services) you use.

1: http://filippo.io/Heartbleed/

On 04/09/2014 12:03 PM, Len Bellemore wrote:

Hi Guys,

Does anyone know which version of ACS are affected by the Hearbleed OpenSSL 
flaw?
- http://heartbleed.com/

Thanks
Len


IMPORTANT NOTICE. This electronic message contains information from Control 
Circle Ltd, which may be privileged or confidential. The information is 
intended for use only by the individual(s) or entity named above. If you are 
not the intended recipient, be aware that any disclosure, copying, distribution 
or use of the contents of this information is strictly prohibited. If you have 
received this electronic message in error, please notify me by telephone or 
email (to the number or email address above) immediately. Activity and use of 
the ControlCircle e-mail system is monitored to secure its effective operation 
and for other lawful business purposes. Communications using this system will 
also be monitored and may be recorded to secure effective operation and for 
other lawful business purposes


Disclaimer: This message and/or attachment(s) may contain privileged, 
confidential and/or personal information. If you are not the intended recipient 
you may not disclose or distribute any of the information contained within this 
message. In such case you must destroy this message and inform the sender of 
the error. T-Systems does not accept liability for any errors, omissions, 
information and viruses contained in the transmission of this message. Any 
opinions, conclusions and other information contained within this message not 
related to T-Systems' official business is deemed to be that of the individual 
only and is not endorsed by T-Systems.

This message and/or attachment(s) may contain privileged or confidential
information. If you are not the intended recipient you may not disclose or
distribute any of the information contained 

REMINDER please send security issues to security@

[John Kinsella]

Folks - in the last week or three we’ve had 2 Jira issues created for 
security-related issues. In both cases, they seem to be false-positives, 
luckily.

If you think you have found a security issue in ACS, please email 
secur...@cloudstack.apache.org.

This gives us a chance to investigate and create patches, and give the 
community the best shot of minimizing malicious groups leveraging 
vulnerabilities.

More info about reporting security issues and our response process can be found 
at [1]

John
1: https://cloudstack.apache.org/security.html

[ANNOUNCE] Realhostip Service is Being Retired

[John Kinsella]

Realhostip Service is Being Retired


Recently the Apache CloudStack PMC was informed that the realhostip.com Dynamic 
DNS service that CloudStack currently uses as part of the console proxy will be 
disbanded this summer. The realhostip service will be shut down June 30th, 
2014, meaning users have approximately 3 months to mitigate this.

Prior to version 4.3, CloudStack used the realhostip.com service by default. 
With the release of CloudStack version 4.3 the default communication method 
with the console proxy is plaintext HTTP.

Who is Affected

CloudStack installations prior to version 4.3 that have not been reconfigured 
to use a DNS domain other than realhostip.com for Console Proxy or Secondary 
Storage must make changes to continue functioning past June 30th, 2014.

Steps You Need to Take

If you meet the criteria above, there are several options to prepare for 
realhostip retirement:

• Set up wildcard SSL certificate and DNS entries: This method is 
already well supported within prior versions of CloudStack.
• Upgrade to CloudStack 4.3 and disable SSL: This is only recommended 
for development installations, or private clouds that contain no information of 
importance.
• Upgrade to CloudStack 4.3, set up static SSL certificate and 
configure load balancer to point to the correct IP address: While this allows 
an administrator to skip setting up the DNS entries from the previous option, 
it is a more advanced option as CloudStack 4.3 does not support automatic load 
balancer configuration for the Console Proxy. It is hoped this functionality 
will be available in future releases.
For instructions on how to set up SSL encryption for use with CloudStack 
console proxy, please read the console proxy section of the CloudStack 
administration guide.

Additionally, if you will be using an SSL vendor who requires an intermediate 
CA chain to be installed for proper SSL validation by web browsers, detailed 
instructions for configuring the intermediate CA chain in CloudStack can be 
found here.

The Apache CloudStack security team does not recommend running a production 
cloud with either the realhostip.com SSL certificate, or with no SSL encryption 
at all.

Re: [ANNOUNCE] Realhostip Service is Being Retired

[John Kinsella]

(Sorry folks - resend, with links at bottom)
Realhostip Service is Being Retired


Recently the Apache CloudStack PMC was informed that the 
realhostip.com Dynamic DNS service that CloudStack 
currently uses as part of the console proxy will be disbanded this summer. The 
realhostip service will be shut down June 30th, 2014, meaning users have 
approximately 3 months to mitigate this.

Prior to version 4.3, CloudStack used the 
realhostip.com service by default. With the release of 
CloudStack version 4.3 the default communication method with the console proxy 
is plaintext HTTP.

Who is Affected

CloudStack installations prior to version 4.3 that have not been reconfigured 
to use a DNS domain other than realhostip.com for 
Console Proxy or Secondary Storage must make changes to continue functioning 
past June 30th, 2014.

Steps You Need to Take

If you meet the criteria above, there are several options to prepare for 
realhostip retirement:

• Set up wildcard SSL certificate and DNS entries: This method is already well 
supported within prior versions of CloudStack.
• Upgrade to CloudStack 4.3 and disable SSL: This is only recommended for 
development installations, or private clouds that contain no information of 
importance.
• Upgrade to CloudStack 4.3, set up static SSL certificate and configure load 
balancer to point to the correct IP address: While this allows an administrator 
to skip setting up the DNS entries from the previous option, it is a more 
advanced option as CloudStack 4.3 does not support automatic load balancer 
configuration for the Console Proxy. It is hoped this functionality will be 
available in future releases.
For instructions on how to set up SSL encryption for use with CloudStack 
console proxy, please read the console proxy section of the CloudStack 
administration guide[1].

Additionally, if you will be using an SSL vendor who requires an intermediate 
CA chain to be installed for proper SSL validation by web browsers, detailed 
instructions for configuring the intermediate CA chain in CloudStack can be 
found at [2].

The Apache CloudStack security team does not recommend running a production 
cloud with either the realhostip.com SSL certificate, 
or with no SSL encryption at all.

1: 
http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/systemvm.html#console-proxy
2: 
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html

Re: [PROPOSAL] Support pure Xen as a hypervisor

[John Kinsella]

+1

On Mar 18, 2014, at 8:40 AM, Tim Mackey 
mailto:tmac...@gmail.com>> wrote:

Historically CloudStack has used Xen and XenServer interchangeably to refer
to any XenAPI based implementation.  With the recent release of Xen Project
4.4 (http://blog.xen.org/index.php/2014/03/10/xen-4-4-released/), and
interest in alternate architectures like ARM, the loose definition of our
Xen support could be confusing.  In this two part effort I propose that
CloudStack 4.4 be cleansed to ensure that all Xen references become
XenServer references, and second that an alternate hypervisor type of
"XenProject" be introduced for pure Xen which could either support libvirt
or  libxl (preference for libvirt given the 4.4 work to improve the
interface and broader support for libvirt in general).

Cross posted to users to for broader comment.

-tim

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Custom billing Application using CloudStack API

[John Kinsella]

I was avoiding the convo and looking forward to the Denver talk, but since HB 
was directly mentioned...

We use Hostbill…opinions are mixed, mostly because they encrypt the php code so 
we can’t easily modify things. We are not yet using the metered billing 
functionality.

Hostbill’s management are engineers with little business sense, and 
unfortunately frequently rub customers the wrong way, as a result customers 
have created their own forums[1] I think when hb shut down the ones they used 
to run. They’re quick to respond, the the product is constantly gaining new 
functionality, so there are a lot of positives about the product.

Actually, browsing around, I see they charge new customers for the CS module 
now…sigh.

What I’d say is if you’re looking to run a clean/simple public IaaS and need a 
customer control panel/billing solution, consider HB. If you expect to need 
more functionality than on their CS page [2], at some point it’ll be better to 
build in-house.

I’d love to see a solid open-source replacement for things like WHMCS/Hostbill, 
but this is one of those areas where companies tend to build in-house.

John
1:http://hostbillforums.com/
2:http://hostbillapp.com/features/apps/cloudstack.html

On Mar 6, 2014, at 7:38 AM, Juan Gomez  wrote:

> Does anyone know in more depth if Hostbill is a good solution for billing 
> with cloudstack? Or how was your experience using Hostbill integrated with 
> cloudstack?.
> 
> De: Adrian Lewis 
> mailto:adr...@alsiconsulting.co.uk>>
> Responder a: 
> "users@cloudstack.apache.org" 
> mailto:users@cloudstack.apache.org>>
> Fecha: jueves, 6 de marzo de 2014 8:57 a.m.
> Para: "users@cloudstack.apache.org" 
> mailto:users@cloudstack.apache.org>>
> Asunto: RE: Custom billing Application using CloudStack API
> 
> Not sure of the quality or its applicability to what you're doing but
> Hostbill have recently updated their Cloudstack integration to work with
> the usage data for a more utility-like way of billing.
> 
> -Original Message-
> From: Juan Gomez [mailto:juan.go...@kumo.com.co]
> Sent: 06 March 2014 13:54
> To: users@cloudstack.apache.org
> Subject: Re: Custom billing Application using CloudStack API
> 
> Thank you all for your help, this user list is great.
> 
> De: ilya musayev
> mailto:ilya.mailing.li...@gmail.com>>
> Responder a:
> "users@cloudstack.apache.org"
> mailto:users@cloudstack.apache.org>>
> Fecha: miércoles, 5 de marzo de 2014 5:58 p.m.
> Para: 
> "users@cloudstack.apache.org"
> mailto:users@cloudstack.apache.org>>
> Asunto: Re: Custom billing Application using CloudStack API
> 
> We've used Amysta for CloudStack Billing Solution. Easy to integrate,
> flexible and affordable.
> 
> I've done a demo here. Fast forward to 10:45 (this is an older version,
> newer is obviously better) http://www.youtube.com/watch?v=4wuEPoxVlBM
> 
> On Wednesday, March 5, 2014, Paul Angus
> mailto:paul.an...@shapeblue.com>>
>  wrote:
> Hi Juan,
> 
> We (ShapeBlue) have done a number of projects involving billing
> integration with Cloud Portal Business Manager so we would certainly have
> insights into how this can be achieved. Perhaps you should get in touch
> with us off-list
> 
> Regards
> 
> Paul Angus
> Cloud Architect
> S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
> paul.an...@shapeblue.com
> 
> -Original Message-
> From: Juan Gomez [mailto:juan.go...@kumo.com.co]
> Sent: 05 March 2014 16:23
> To: 
> users@cloudstack.apache.org
> Subject: Custom billing Application using CloudStack API
> 
> Hi everyone
> 
> I work for a company name Kumo (www.kumo.com.co). We are one of the most
> important public clouds in Colombia, all of our platforms are based on
> cloudstack and Cloud business portal. Right now we have a very complex
> problem because we are not being able to bill our costumers automatically.
> This is because all of our costumers have different prices for the same
> kind of product or VM, this is due to commercial issues and negotiations
> that are necessary to do in the colombian market. So we want to build a
> billing web application using the cloudstack API in order to create bills
> for costumers in an automatically way and also send alerts and take
> actions to suspend services if payments are not being received. Does
> anyone know examples of this kind of application using the cloudstack API,
> or have any insights on how we should approach this problem.
> 
> Thank you for your help and pardon m

Re: Adding a host with running VM's issu

[John Kinsella]

This would be a super-cool feature to add to ACS. It’s sorta the 
cloud-orchestration equivalent of having to add 1000 nodes to nagios.  Would be 
interesting to discuss with folks over a tasty beverage in Denver...

On Mar 4, 2014, at 2:44 AM, Badi  wrote:

> hello cloudstack users,
> 
> Can any one tell me why cloudstack dont allow us to add hosts running VM's  
> ??? 
> 
> thx
> 
> 
> 

Re: Why no use sync rather than async for NFS storage?

[John Kinsella]

Just created CLOUDSTACK-6166 to change this, or at least get a good reason for 
why folks think it’s OK.

On Feb 24, 2014, at 8:57 AM, John Kinsella  wrote:

> Interesting - hadn’t noticed that.
> 
> Async is generally faster, at the risk of data loss as the client isn’t 
> guaranteed data write on the server. Not something I’d run in production.
> 
> John
> 
> On Feb 23, 2014, at 10:33 PM, Amin Samir  wrote:
> 
>> Hello,
>> 
>> All cloudstack documentation prepares the NFS share using async, why not use 
>> sync for better data protection?
>> 
>> Has anyone used NFS shares with sync? what would be the drawbacks if any?
>> 
>> Thanks for your valuable responses.
>> Amin
>>
> 

Re: Why no use sync rather than async for NFS storage?

[John Kinsella]

Interesting - hadn’t noticed that.

Async is generally faster, at the risk of data loss as the client isn’t 
guaranteed data write on the server. Not something I’d run in production.

John

On Feb 23, 2014, at 10:33 PM, Amin Samir  wrote:

> Hello,
> 
> All cloudstack documentation prepares the NFS share using async, why not use 
> sync for better data protection?
> 
> Has anyone used NFS shares with sync? what would be the drawbacks if any?
> 
> Thanks for your valuable responses.
> Amin
> 

Re: CoreOS and Cloudstack

[John Kinsella]

I just imported their KVM image [1] and spun up a VM with it - that far, no 
problem. So, it runs.

Next step - need to build a coreos image with support to get the ssh keys from 
CloudStack [2] 

John
1: 
http://storage.core-os.net/coreos/amd64-generic/dev-channel/coreos_production_qemu_image.img.bz2
2: 
https://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Installation_Guide/using-sshkeys.html

On Feb 20, 2014, at 2:46 PM, Andrei Mikhailovsky  wrote:

> Hello guys, 
> 
> 
> I was wondering if anyone has managed to make CoreOS run within ACS? I've 
> seen docs on how to run CoreOS on OpenStack, but couldn't find anything for 
> ACS. 
> 
> 
> Thanks 
> 
> 
> Andrei

Re: CloudStack WebUI Loads Up Very Slow

[John Kinsella]

Is the sluggishness during the initial (login) load, or on every page? Is this 
new sluggishness when you went to HA, or was it always there?

The UI is designed to have a heavy initial load and then be mostly AJAX and 
more responsive after that. The initial UI load is fairly huge - tons of JS, 
CSS, etc.

I did a blog post[1] recently on how I was able to speed this up a bit - might 
be of use.

1: http://theresnomon.co/2014/improving-cloudstack-ui-performance/

John


On Feb 20, 2014, at 12:59 AM, iliyas shirol 
mailto:iliyas.shi...@gmail.com>> wrote:

Thanks for the response.

We have added a VIP to point it to these 2 management servers. As per the
cloudstack documentation we need to add the VIP IP address into the 'host'
variable.

Even though we are facing the same sluggishness.



On Thu, Feb 20, 2014 at 1:59 AM, Daniel Nascimento <
daniel.nascime...@telecall.com> wrote:

I have faced this "lag" while using fqdn´s - try it by IP and see if it
will keep slow.

If it gets fastern by IP - you should do as I did and search for FQDN
problems. Maybe the "hosts" file in server are not properly setted, DNS
problems, anything like it.

Bets regards,


--
Daniel Nascimento
Telecall USA and BRAZIL
IT Manager
Office Phone Brazil: +55(21) 3002-0540
Office Phone US: +1 954 213 6097
Mobile Brazil: +55(21) 99591304
Skype: dorsalsolutions

-Mensagem original-
De: iliyas shirol [mailto:iliyas.shi...@gmail.com]
Enviada em: quarta-feira, 19 de fevereiro de 2014 16:37
Para: users@cloudstack.apache.org
Assunto: CloudStack WebUI Loads Up Very Slow

Greetings!

We have 2 management server in HA. The CloudStack WebUI takes more than 15
seconds to load while accessing using any browser. The management server
has good specs though.

Does anyone else in the forum face similar sluggishness ? We use 4.2.1
release.

Thanks.

--
-
Md. Iliyas Shirol
Mobile : +91 9902 977 800
Google : iliyas.shirol@ gmail.com




--
-
Md. Iliyas Shirol
Mobile : +91 9902 977 800
Google : iliyas.shirol@ gmail.com

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Unable to set permissions Cloudstack 4.3

[John Kinsella]

I just created CLOUDSTACK-6128 after seeing this.

a) We shouldn’t be setting filesystem permissions wide open
b) If and when we do set permissions, we should care about the results
c) We shouldn’t be displaying “errors" that users can ignore

Will see if I can clean some of that up over the next few days.

On Feb 17, 2014, at 3:46 AM, Rajesh Battala 
mailto:rajesh.batt...@citrix.com>> wrote:

Were the systemvm's came up and reported as "UP" in the infra page?
If yes, it's not an issue to be worried.

-Original Message-
From: Tejas Gadaria [mailto:refond.g...@gmail.com]
Sent: Monday, February 17, 2014 4:41 PM
To: users@cloudstack.apache.org; 
d...@cloudstack.apache.org
Subject: Unable to set permissions Cloudstack 4.3

Though I am able to create system VMs successfully on hyperv, was showing 
following in the logs, Is this related to storage permission for management 
server. ?
what kind of problem it can create?


2014-02-17 16:26:45,777 DEBUG [c.c.a.m.DirectAgentAttache]
(DirectAgent-20:ctx-c2a52c69) Seq 1-92012587: Executing request
2014-02-17 16:26:46,435 DEBUG [c.c.h.h.m.HypervManagerImpl]
(DirectAgent-56:ctx-a1715f20) Execution is successful.
2014-02-17 16:26:46,436 DEBUG [c.c.h.h.m.HypervManagerImpl]
(DirectAgent-56:ctx-a1715f20) Executing: sudo chmod -R 777
/var/cloudstack/mnt/VM/345049283025.8748e72
2014-02-17 16:26:46,454 DEBUG [c.c.h.h.m.HypervManagerImpl]
(DirectAgent-56:ctx-a1715f20) Exit value is 1
2014-02-17 16:26:46,455 DEBUG [c.c.h.h.m.HypervManagerImpl]
(DirectAgent-56:ctx-a1715f20) chmod: changing permissions of
`/var/cloudstack/mnt/VM/345049283025.8748e72':* Permission denied*
2014-02-17 16:26:46,455 WARN  [c.c.h.h.m.HypervManagerImpl]
(DirectAgent-56:ctx-a1715f20) *Unable to set permissions for
/var/cloudstack/mnt/VM/345049283025.8748e72 due to chmod: changing permissions 
of `/var/cloudstack/mnt/VM/345049283025.8748e72': Permission
denied*
2014-02-17 16:26:46,459 INFO  [c.c.h.h.m.HypervManagerImpl]
(DirectAgent-56:ctx-a1715f20) Copy System VM patch ISO file to secondary 
storage. source ISO: /usr/share/cloudstack-common/vms/systemvm.iso,
destination:
/var/cloudstack/mnt/VM/345049283025.8748e72/systemvm/systemvm-4.3.0.iso
2014-02-17 16:27:06,940 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-11ca781d) Found 0 routers to update status.
2014-02-17 16:27:06,941 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-11ca781d) Found 0 networks to update RvR status.


Regards,
Tejas

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Software licensing in the cloud

[John Kinsella]

I spent too much time researching this last year…I’d consider 
http://www.aidanfinn.com/?p=13090 to be the gold standard on explaining the 
topic in an understandable manner.

On Feb 11, 2014, at 4:30 AM, Ricardo Makino 
mailto:ricardo.n...@gmail.com>> wrote:

Hi Everyone,

I have a doubt about what kind of software licensing you use to provide
Microsoft instances in a IaaS environment, such like windows server
instances.

Regards,
--
Ricardo Makino

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Distributed Intrusion Detection System in Cloud Computing

[John Kinsella]

Hey Robert!

On Nov 16, 2013, at 11:53 AM, Robert Bruce  wrote:

> Hi, hope all of you will be fine and doing your best for the development of
> open source community.
> 
> I want your suggestions and help regarding my project. I am going to start
> my master's thesis in the domain of Cloud Computing
> I want to develop a Signature Based Distributed Intrusion Detection System
> (DIDS) to detect distributed intrusions in Cloud environment.
> Yes, I intend to deploy it in CloudStack.

First thought: signature-based systems are useless. They're great for 
low-hanging fruit, but anybody who takes the time to craft packets/binaries 
will circumvent it. Or worse, they'll craft packets to set it off and kill 
detection performance while they go about their real attack. For the early 
stages of your project they'll work fine, but architect things so you can swap 
that out for anomaly-based detection (or a mixture)

(Insert rant on signature based AV systems, the amount of money we've paid 
Symantec et al, and the increase - not decrease - in infected systems)

The main thing to consider - you might want to do some correlation on each 
host, but really you need a separate system to correlate between events seen by 
various hosts.

Also - what are you attempting to detect? Network intrusions? System 
intrusions? Public Internet or activity between hosts? Are you looking to work 
in CloudStack's basic network model, advanced with VLANs, or something with 
SDN? Also consider all the event data being generated by ACS itself. 

Plenty of space for you to do research in here, just thinking you might want to 
define things a little more narrow…also, look around - some of the three-letter 
government agencies are working on big-data analytics, not sure if any of the 
work is public or not yet[1].

John
1: This wasn't meant as a Snowden joke

Re: realhostip.com down?

[John Kinsella]

I'm seeing similar in San Francisco, CA…

On Nov 6, 2013, at 6:52 PM, Steve Searles  wrote:

> -bash-3.2$ dig @8.8.8.8 ns.realhostip.com +trace
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> @8.8.8.8 ns.realhostip.com 
> +trace
> ; (1 server found)
> ;; global options:  printcmd
> .   20652   IN  NS  m.root-servers.net.
> .   20652   IN  NS  j.root-servers.net.
> .   20652   IN  NS  l.root-servers.net.
> .   20652   IN  NS  e.root-servers.net.
> .   20652   IN  NS  a.root-servers.net.
> .   20652   IN  NS  k.root-servers.net.
> .   20652   IN  NS  c.root-servers.net.
> .   20652   IN  NS  d.root-servers.net.
> .   20652   IN  NS  h.root-servers.net.
> .   20652   IN  NS  i.root-servers.net.
> .   20652   IN  NS  f.root-servers.net.
> .   20652   IN  NS  g.root-servers.net.
> .   20652   IN  NS  b.root-servers.net.
> ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 25 ms
> 
> com.172800  IN  NS  a.gtld-servers.net.
> com.172800  IN  NS  b.gtld-servers.net.
> com.172800  IN  NS  c.gtld-servers.net.
> com.172800  IN  NS  d.gtld-servers.net.
> com.172800  IN  NS  e.gtld-servers.net.
> com.172800  IN  NS  f.gtld-servers.net.
> com.172800  IN  NS  g.gtld-servers.net.
> com.172800  IN  NS  h.gtld-servers.net.
> com.172800  IN  NS  i.gtld-servers.net.
> com.172800  IN  NS  j.gtld-servers.net.
> com.172800  IN  NS  k.gtld-servers.net.
> com.172800  IN  NS  l.gtld-servers.net.
> com.172800  IN  NS  m.gtld-servers.net.
> ;; Received 495 bytes from 192.203.230.10#53(e.root-servers.net) in 2083 ms
> 
> realhostip.com. 172800  IN  NS  ns.realhostip.com.
> realhostip.com. 172800  IN  NS  ns2.realhostip.com.
> ;; Received 99 bytes from 192.26.92.30#53(c.gtld-servers.net) in 24 ms
> 
> -bash-3.2$ ping ns.realhostip.com
> 
> -bash-3.2$ dig @8.8.8.8 realhostip.com
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> @8.8.8.8 realhostip.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64588
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;realhostip.com.IN  A
> 
> ;; Query time: 4038 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Nov  6 21:50:55 2013
> ;; MSG SIZE  rcvd: 32
> 
> -bash-3.2$
> 
> Steve Searles
> Director, Network Operations
> Zimcom Internet Solutions, Inc.
> http://www.zimcom.net
> Phone. (513)231-9500
> Fax. (513)624-3909
> Toll Free. (888)624-3910
> 

Re: [PROPOSAL] Service monitoring tool in virtual router

[John Kinsella]

Thx for putting this together, Jayapal. A few comments:

I'd really like to have a config flag to specify if things should be restarted 
automatically or not. Worst case, track the restarts - if a service is 
restarted more than X times in Y seconds, something's obviously wrong so stop 
tail-chasing[1]. Personally I'm much more interested in knowing there's a 
problem and then taking whatever happens to be the appropriate actions for our 
situation.

Regarding communicating with a monitoring system - what makes more sense to me 
is setting up a solid framework that provides folks flexibility to use various 
monitoring tools, from sending an email to contacting pager duty or whatever.

So, to me there's 3 parts to that:
1) At VR creation, ACS calls defined hook-script which knows how to contact 
monitoring system to tell it about system to monitor
2) At boot, VR sends API query to which the mgmt server responds with a URL for 
an install script - VR runs that to download/setup appropriate monitoring agent
3) VR has standardized scripts for agent to call to find out what should be 
running, and then agent can go check for itself.

With a setup like this, you can support SNMP, Opsview/Nagios, Monit, NSA, 
Zenoss, HPOV, Tivoli, etc etc etc. I'll happily write the Opsview/Nagios module 
(I'm thinking module is hosted outside ACS, but I guess it could be a plugin - 
see earlier licensing points).

Thoughts?

Just my 2c. Happy to tweak wiki if folks lean towards this.

John
1: Aside - this applies to SSVM creation currently - that hamster[2] keeps 
trying to spin that create SSVM wheel..
2: Apache CloudHamster, CloudMonkey's furry monitoring friend?

On Nov 6, 2013, at 7:58 AM, Jayapal Reddy Uradi  
wrote:

> Please find below update FS
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Monitoring+VR+services
> 
> Thanks,
> Jayapal
> 
> On 05-Oct-2013, at 6:54 PM, Santhosh Edukulla  
> wrote:
> 
>> A shell script can be used. Few thoughts below:
>> 
>> 1. Collect the process id of all daemons you wanted to monitor using "pidof" 
>> of command and then use "kill" command to check if the pid you got is valid. 
>> Using kill we can send a signal 0, then check the status using echo $? . For 
>> sending a notification use linux syslog call ( man 3 syslogd) or "logger" 
>> command to send to syslog. If wanted to send email then you may also have to 
>> look for firewall not allowing outbound smtp port communiation. Even for 
>> snmp this holds same( i mean if any blocking through firewall rules ).  
>> Using syslog may be good as it by default exposes various debug log levels 
>> through its api call.
>> 
>> Now, to keep the monitor script up always up and runninig. Keep the monitor 
>> script run continuosly through cron or at at regular\scheduled intervals. 
>> This way even if monitor script goes down, the next xth interval, it is up 
>> again. 
>> 
>> With this there is a catch though, we may got multiple pids for a given 
>> daemon provided if there are multiple daemons spawned by same\multiple 
>> applications, if this scenario is not common then its ok, otherwise we may 
>> have to track it differently maintaining state of each spawned daemon and 
>> see if it exists. If multiple applications launch the same daemon, you may 
>> also wanted to say its application which got killed. EX: A launched httpd, 
>> and during its exit logic, it is killing all daemons it launched, then you 
>> may wanted to add  A is not available, rather than just http is not 
>> available. 
>> 
>> 
>> 2.  Using  netstat command : Check for available, listening and active ports 
>> on local host, provided all the daemons you wanted to monitor are running on 
>> "standard" ports or if we know the listening ports of those deamons to be 
>> monitored. Again, this script can be added through cron\at to be scheduled 
>> to run x units, if it gets killed the next x units after the monitor script 
>> is up again. 
>> 
>> Also, there could be many other approaches as well.
>> 
>> 
>> Thanks!
>> Santhosh 
>> 
>> From: Jayapal Reddy Uradi [jayapalreddy.ur...@citrix.com]
>> Sent: Saturday, October 05, 2013 5:17 AM
>> To: 
>> Cc: 
>> Subject: Re: [PROPOSAL] Service monitoring tool in virtual router
>> 
>> Hi,
>> 
>> +users list
>> If any one is already using any tools for monitoring then please share your 
>> ideas.
>> Also share the cases where you experienced service crashes.
>> 
>> Thanks,
>> Jayapal
>> 
>> On 05-Oct-2013, at 4:12 AM, Chiradeep Vittal  
>> wrote:
>> 
>>> Well just make sure that your script is resilient to its own crashes as
>>> well.
>>> 
>>> On 10/4/13 1:59 AM, "Jayapal Reddy Uradi" 
>>> wrote:
>>> 
 Hi,
 
 I am planning to write script utility to monitor processes and restart on
 the event of failure. It will also logs the events.
 
 Thanks,
 Jayapal
 
 On 02-Oct-2013, at 3:25 AM, Simon Weller  wrote:
 
> supervisord maybe?
> 
> --

Re: change own password and personal info

[John Kinsella]

Created CLOUDSTACK-5064 - no promises on if/when it gets implemented, but I'd 
guess it has a good chance…

On Nov 6, 2013, at 8:30 AM, Gordy Stronach 
mailto:gordon.stron...@gmail.com>> wrote:

+1 here also. The "Accounts" terminology can be a misnomer and is not
readily intuitive to new users.


On Wed, Nov 6, 2013 at 9:57 AM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Seems like the UI could benefit from a "my account" link near the top of
the page…what do folks think?

On Nov 6, 2013, at 5:31 AM, Geoff Higginbottom <
geoff.higginbot...@shapeblue.com<mailto:geoff.higginbot...@shapeblue.com><mailto:geoff.higginbot...@shapeblue.com>>
wrote:

You need to go to the Users Section as the passwords are mapped to users,
not accounts

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbot...@shapeblue.com<mailto:geoff.higginbot...@shapeblue.com><mailto:geoff.higginbot...@shapeblue.com>

-Original Message-
From: Юрий Карпель [mailto:yu...@karpel.su]
Sent: 06 November 2013 06:49
To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
Subject: change own password and personal info

Cloudstack 4.2 fresh install
Created account test with Role "User", and a user "newtest".
When I log in as a user created along with this Account I've checked
"Accounts->test->View Users ->newtest" and in the "Detail" tab there was no
buttons, so I couldn't:
1. change my own password
2. change my personal info
PS: for the admin account is also not possible to change the password What
could be wrong?
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender
if you believe you have received this email in error. Shape Blue Ltd is a
company incorporated in England & Wales. ShapeBlue Services India LLP is a
company incorporated in India and is operated under license from Shape Blue
Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
and is operated under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>



Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: change own password and personal info

[John Kinsella]

Seems like the UI could benefit from a "my account" link near the top of the 
page…what do folks think?

On Nov 6, 2013, at 5:31 AM, Geoff Higginbottom 
mailto:geoff.higginbot...@shapeblue.com>> 
wrote:

You need to go to the Users Section as the passwords are mapped to users, not 
accounts

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbot...@shapeblue.com

-Original Message-
From: Юрий Карпель [mailto:yu...@karpel.su]
Sent: 06 November 2013 06:49
To: users@cloudstack.apache.org
Subject: change own password and personal info

Cloudstack 4.2 fresh install
Created account test with Role "User", and a user "newtest".
When I log in as a user created along with this Account I've checked 
"Accounts->test->View Users ->newtest" and in the "Detail" tab there was no 
buttons, so I couldn't:
1. change my own password
2. change my personal info
PS: for the admin account is also not possible to change the password What 
could be wrong?
This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Console Proxy SSL Certificate

[John Kinsella]

Self-signed is fine, just need to store it in the keystone as described on 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Enabling+SSL+in+the+CloudStack+UI

On Nov 5, 2013, at 10:05 AM, Paulo Ricardo 
 wrote:

> Hello everybody,
> 
> After I generate a new 2048-bit private key and generate a new certificate
> CSR, do I need purchase a Certificate SSL? Or may I do a Certificate SSL
> self signed?
> 
> Thanks,
> 
> Paulo.

Re: Monitoring feature for CS

[John Kinsella]

I've been thinking a lot about monitoring over the last 6 weeks or so. For over 
a decade I've been a huge fan of Opsview/nagios, but I started getting the 
nagging feeling that this wasn't necessarily the best way to go anymore, with 
this whole cloud thing. So I've been looking/playing with a bunch of different 
stuff.

In my searching I found a great deck from Jason Dixon that's mostly in line 
with my current thoughts: 
https://speakerdeck.com/obfuscurity/the-state-of-open-source-monitoring

The idea of monitoring ACS at the JVM level's interesting - our management 
servers seem quite stable *knock on wood* but I'm currently of the mind of "the 
more stats the better" - never know when they might come in handy…once you have 
them, you can go back and analyze, see the trends, create new monitors, etc...


On Aug 14, 2013, at 9:56 PM, Jerry Jiang  wrote:

> Hi all,
> 
> Do you have any solution to implement monitoring feature for CS?
> 
> Jerry Jiang
> 
> 

Re: VNC Security---Remote Authentication Vulnerability

[John Kinsella]

Hi Aslan - are you referring to the CloudStack vulnerability announcement 
related to authentication bypass we announced in April? (CVE 2013-2756)

If so, to fix the issue you need to upgrade to CloudStack 4.0.2. Do note 
there's issues with Ceph on ACS 4.0.2, so if you are using Ceph we'll have to 
figure out another way to fix for you.

John

On May 21, 2013, at 2:02 AM, Aslan Lin 
mailto:technologymess...@yahoo.cn>> wrote:

Hi :
 I deploy CloudStack 4.0.2 following the install guide, and use KVM as the 
hypervisor, recently I get the secrity report which present the Remote 
authentication vulnerability on my kvm host. I think that may qemu build-in vnc 
server, I don't know how to fix this problem, does any one meet this, thanks 
for your help.

Sorry for my pool English.

Best wishes

Re: Lock System VMs to specific IPs due to internal security

[John Kinsella]

You can deploy a VM with a specific IP - if somebody else hasn't already used 
it…it's not really an ideal solution but works "most of the time."

John

On May 2, 2013, at 1:47 PM, "Musayev, Ilya"  wrote:

> Has any tried to achieve locking SSVM, CPVM and RVM to specific IPs due to 
> network security concerns and firewall rules?
> 
> I see that there is an api call to deploy a system VM with specific IP, 
> curious if anyone tried it or how others may solve this problem.
> 
> As always, your response is appreciated.
> 
> Thanks
> ilya

Apache CloudStack Security Advisory: Multiple vulnerabilities in Apache CloudStack

[John Kinsella]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Product: Apache CloudStack
Vendor: The Apache Software Foundation
CVE References: CVE-2013-2756, CVE-2013-2758
Vulnerability Type(s): Authentication bypass (2756), cryptography (2758)
Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and
4.0.1-incubating
Risk Level: High, Medium
CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3
(AV:A/AC:H/Au:N/CI:P/I:P/A:P)

Description:
The CloudStack PMC was notified of two issues found in Apache CloudStack:

1) An attacker with knowledge of CloudStack source code could gain
unauthorized access to the console of another tenant's VM.

2) Insecure hash values may lead to information disclosure. URLs
generated by Apache CloudStack to provide console access to virtual
machines contained a hash of a predictable sequence, the hash of
which was generated with a weak algorithm. While not easy to leverage,
this may allow a malicious user to gain unauthorized console access.

Mitigation:
Updating to Apache CloudStack versions 4.0.2 or higher will mitigate
these vulnerabilities.

Credit:
These issues were identified by Wolfram Schlich and Mathijs Schmittmann
to the Citrix security team, who in turn notified the Apache
CloudStack PMC.
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJReGl7AAoJEOom9N0pCN7Sr50P/0eXH56MdqWsRqSSQ20PobL2
Tgw3J5JgxTi1OVWlaq+5cdJO2RVbuXcT/FD5RgRYk8NSCFgzS8b3DCV+FQAjH1aL
BKGjroNfOLeEYcEYC5hsD3mDarNsJ1Wi0NvJqdbpvFuYQ50E05iCUpDhf2d8Zn/b
CQfd6ZHmduTs9UiigqwYY4QyG5aY1YKofZlv2VeXaSU+rY1mT8vU785O/nwd5x5f
pvoGBt4l544mRpdCh09c3d+9aTh879PWecGMxQ1a5fOJtGiPXkdezvsySwDEWfZ6
Hrcs682gDYpsyCZtQskfA58ijJGf+yyg0eH1zJF/ws86YBMMwI4oFGxBUuApPmTq
6KHm9Efv/fDzvQH0eT9MP8KSQ5Q5Vp6C4V8uQc77swiusnuS0ZkCk/owaXpqwEbj
//eeCforw39Im8O9JqjLjcKurneDFjsdsuuSahl9SOgAMnB4Paad58hk594FscUD
wGYxipICT/Qsl/+kjjg7I3hH8YBuvoWASkefdkQcCfPfecq/jQE5pPfyuAZmzBe4
m5TSsLU6R+0kUJHLw8Z9Amb7mCkwpJkLlp6RJGyENExU/C9pweNYp9sqEwnnkFPC
+1mqZxvEHJZe/RvwyyCGAaD6oyd11oGekU8rWxm4sDmVOIqdyIaE79LiDrQZ+Tzs
Ol6cqhf+Vjoq03KyhaoH
=fYw2
-END PGP SIGNATURE-