-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Product: Apache CloudStack Vendor: The Apache Software Foundation CVE References: CVE-2013-2756, CVE-2013-2758 Vulnerability Type(s): Authentication bypass (2756), cryptography (2758) Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and 4.0.1-incubating Risk Level: High, Medium CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3 (AV:A/AC:H/Au:N/CI:P/I:P/A:P)
Description: The CloudStack PMC was notified of two issues found in Apache CloudStack: 1) An attacker with knowledge of CloudStack source code could gain unauthorized access to the console of another tenant's VM. 2) Insecure hash values may lead to information disclosure. URLs generated by Apache CloudStack to provide console access to virtual machines contained a hash of a predictable sequence, the hash of which was generated with a weak algorithm. While not easy to leverage, this may allow a malicious user to gain unauthorized console access. Mitigation: Updating to Apache CloudStack versions 4.0.2 or higher will mitigate these vulnerabilities. Credit: These issues were identified by Wolfram Schlich and Mathijs Schmittmann to the Citrix security team, who in turn notified the Apache CloudStack PMC. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJReGl7AAoJEOom9N0pCN7Sr50P/0eXH56MdqWsRqSSQ20PobL2 Tgw3J5JgxTi1OVWlaq+5cdJO2RVbuXcT/FD5RgRYk8NSCFgzS8b3DCV+FQAjH1aL BKGjroNfOLeEYcEYC5hsD3mDarNsJ1Wi0NvJqdbpvFuYQ50E05iCUpDhf2d8Zn/b CQfd6ZHmduTs9UiigqwYY4QyG5aY1YKofZlv2VeXaSU+rY1mT8vU785O/nwd5x5f pvoGBt4l544mRpdCh09c3d+9aTh879PWecGMxQ1a5fOJtGiPXkdezvsySwDEWfZ6 Hrcs682gDYpsyCZtQskfA58ijJGf+yyg0eH1zJF/ws86YBMMwI4oFGxBUuApPmTq 6KHm9Efv/fDzvQH0eT9MP8KSQ5Q5Vp6C4V8uQc77swiusnuS0ZkCk/owaXpqwEbj //eeCforw39Im8O9JqjLjcKurneDFjsdsuuSahl9SOgAMnB4Paad58hk594FscUD wGYxipICT/Qsl/+kjjg7I3hH8YBuvoWASkefdkQcCfPfecq/jQE5pPfyuAZmzBe4 m5TSsLU6R+0kUJHLw8Z9Amb7mCkwpJkLlp6RJGyENExU/C9pweNYp9sqEwnnkFPC +1mqZxvEHJZe/RvwyyCGAaD6oyd11oGekU8rWxm4sDmVOIqdyIaE79LiDrQZ+Tzs Ol6cqhf+Vjoq03KyhaoH =fYw2 -----END PGP SIGNATURE-----
