The Apache CloudStack Blog

Wednesday Jan 28, 2015

CloudStack and the "Ghost" glibc vulnerability

UPDATE: mitigation instructions have been improved (don't update openswan) and we forgot to mention rebooting.
UPDATE: Links to updated System VM templates are now below

Yesterday, a buffer overflow vulnerability was announced in glibc that affects most current Linux distributions. In CloudStack, the system VMs contain a vulnerable version of glibc.

CloudStack community members have built an updated system VM template, which ShapeBlue is hosting at http://packages.shapeblue.com/systemvmtemplate/ (More information on the packages at http://shapeblue.com/packages).

For instructions on how to update the SystemVM template in CloudStack, see here.

For those who wish to patch their running system VMs, ssh into each one and run:

apt-mark hold openswan
apt-get clean
apt-get update && apt-get upgrade
After updating glibc, the system will need to be rebooted.

Information about how to connect to your System VMs is available here.

Other CloudStack-related systems may be affected!

Please review security updates from Linux distributions you use on your management server, storage systems, hypervisors, as well as other Linux VMs and bare-metal systems running in your environments. This post provides instructions for determining if a system is vulnerable, as well as patching directions for common Linux distributions.

Monday Dec 08, 2014

[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds

CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds

CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.3, 4.4

Description:
Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms (RFC 4513): 1) username and password; 2) unauthenticated if only a username is specified; and 3) anonymous if neither username or password is specified. Currently, Apache CloudStack does not check if the password was provided which could allow an attacker to bind as an unauthenticated user.

Mitigation:
Users of Apache CloudStack 4.4 and derivatives should update to the latest version (4.4.2)

An updated release for Apache CloudStack 4.3.2 is in testing. Until that is released, we recommend following the mitigation below:

By default, many LDAP servers are not configured to allow unauthenticated binds. If the LDAP server in use allow this behaviour, a potential interim solution would be to consider disabling unauthenticated binds.

Credit:
This issue was identified by the Citrix Security Team.

Tuesday Nov 11, 2014

The Apache CloudStack Project Announces Apache™ CloudMonkey™ v5.3.0

The Apache CloudStack project is pleased to announce the 5.3.0 release of CloudMonkey, the command line interface tool for Apache CloudStack configuration and management.

[Read More]

Friday Sep 26, 2014

CloudStack's realhostip service to retire in less than a week!

As previously mentioned, the realhostip.com dynamic DNS service is being retired at the end of September.

Citrix is reporting that they are still seeing DNS queries against the domain; Those who have not reconfigured their CloudStack installations will find part of their installations breaking once the realhostip service is retired on September 30th.

If you are running a version of CloudStack older than 4.3 and you have not reconfigured your installation to not use realhostip.com, please take the time to do so now before users are affected. Instructions are available in the CloudStack Wiki as well as other blogs on the Internet.

Friday Jun 06, 2014

Realhostip Reprieve for CloudStack Users

As mentioned previously, the realhostip.com dynamic DNS resolver service is being retired this summer. During testing of Apache CloudStack version 4.3, we found a few more issues related to realhostip.com that have been addressed for the 4.4 release.

In order to give everybody a reasonable window to update their CloudStack installations to use the updated code, the retirement date for the realhostip.com service has been pushed back to September 30th, 2014. This provides an additional 3 months from the original June 30th date.

Any questions related to the retirement of the realhostip.com service and it's affect on CloudStack installations should be send to the CloudStack Users or Development mailing lists. Further information about how to subscribe and interact with the mailing lists is available at https://cloudstack.apache.org/mailing-lists.html.

Friday Jan 10, 2014

[CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Bypass
Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5263

Credit:

This issue was identified by the Cloud team at Schuberg Philis

[CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Information Disclosure
Vulnerable Versions: Apache CloudStack 4.2.0
CVE References: CVE-2014-0031
Risk Level: Low
CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5145

Credit:

This issue was identified by Marcus Sorensen

Thursday Sep 05, 2013

Apache CloudStack Weekly News - 4 September 2013

Welcome back to another exciting issue of the Apache CloudStack Weekly News. This week, 4.2.0 enters it's fourth round of voting, we welcome several new committers and look at some of the major discussions on the Apache CloudStack mailing lists, and much more.

Major Discussions

4.2 is Now being Voted On

The fourth round of voting is now open on the 4.2 release. This release is full of new features, fixes and thousands of hours of work from everyone in the community. It's important to test and cast your vote on the release. Remember that all members of the community are eligible to cast a vote and note any issues that they have with the current release candidate.

4.2 Issues Closure

Sudha Ponnaganti has throughout the 4.2 put together a list of the the current blocker and critical issues that need to be reviewed. If you have issues that have been resolved please review, test, and close out please.

High Quality Documentation

For some time now there has been discussion around a possible replacement to our current use DocBook for our primary document editor. Sebastien Goasguen started a discussion to look at Markdown by Daring Fireball. With there being concern about how to create and maintain high quality documentation, this is an important thread to participate in for anyone interested in the release documents.

After seeing lots of frustrated people with folks I decided to try something out with markdown.

I used pandoc to convert some docbook files to markdown and I used a structure for a book based on 'The little mongodb' book.
We can generate epub and pdf using latex.

See: link

There are two "books" aimed at being step by step recipes. Not long, not convoluted, single OS, etc…simple step by step.

link
link

I am still sanitizing the installation one based on 4.2 .

Comments, flames ?

CloudStack Planet

Speaking in Tech Podcast - The Register

Aaron Delp joined in as a part of talking cloud and especially CloudStack as part of an interview with The Register and their "Speaking in Tech" podcast series.

Aaron's section on ACS is from 17:45 to 26:00 - http://www.theregister.co.uk/2013/08/01/speaking_in_tech_episode_69/

CloudStack Appliances Released

Ilya Musayev a committer of the ACS project and founder of CloudSands project has recently announced the release of a set of pre-built management server appliances available for open use based off the ACS 4.1.1 code base. There are appliances for VMware, Xen and KVM hypervisors.

Objective: Speed up the Apache CloudStack adoption by abstracting the need of going through install process and using pre-installed package instead. Especially useful for a quick POC.

vSphere:
Short URL: link
Long URL: link

KVM:
Short URL: link
Long URL: link

XEN:
Short URL: link
Full URL: link

Minimum Requirements:
1 CPU x 2 GB of RAM

Testing:

Please spend few minutes on testing these out, you can import it as a template into your ACS - power on and see the details on initial start.
I've tested vSphere and KVM version. I don't have XEN instance to try.

Events

New Committers and PMC Members

  • Ilya Musayev has been invited to join the CloudStack PMC, and has accepted.
  • Vijay Bhamidipati has been invited by the PMC to become a committer and has accepted.
  • Toshiaki Hatano has been invited by the PMC to become a committer and has accepted.
  • Kirk Kosinski has been invited by the PMC to become a committer and has accepted.
  • Ian Duffy has been invited by the PMC to become a committer and has accepted.

Friday Aug 16, 2013

Announcing the CloudStack Collaboration Conference - Europe

With two very successful events in the United Stated we know it is time to bring this conference to Europe. This time we’re gathering the community in The Netherlands. More specific, right in the center of Amsterdam in one of its historical landmarks, the Beurs van Berlage.

Starting November 20th with a hack day and continuing with a two day conference, this will be your opportunity to dive into all things CloudStack. Meet the community, discuss new ideas and learn about existing and upcoming features. We have setup the conference to provide an exciting environment to participate in workshops, attend presentations or just sit back and have a drink with other CloudStack enthusiasts.

The Call for Papers is open right now, so send your abstract to cfp@cloudstackcollab.org. If it’s relevant to Apache CloudStack development, deployment, and integration, we’re interested in what you might have to say. We can accommodate workshops, hack sessions, presentation and we want to work with you to make sure you can share what you want with the community. Check the website for more details, http://www.cloudstackcollab.org/call-for-papers

The conference website http://www.cloudstackcollab.org will be regularly updated with new content to keep you informed about the conference. Please check it regularly to be informed about the latest developments regarding the CloudStack Collaboration Conference Europe.

Important Dates

The Call for Papers will run from today (August 16th) to September 30th. We will send out notifications shortly after closing the the Call for Papers.

The Conference Hack Day will be November 20th

The Conference talks and planned sessions begin on November 21th

The Conference ends on November 22th

Registration

We will announce the registration in a short while, please keep an eye on the website http://www.cloudstackcollab.org/ for more details.

Location

The conference will be at the Beurs van Berlage in Amsterdam, The Netherlands. Located in the city center it is close to quite a number of hotels and hostels in Amsterdam. We are looking at the possibility to make a deal with one of the hotels in the immediate vicinity of the conference location. We will update the conference website when we have the details.

Sponsoring

Sponsoring opportunities are available for the CloudStack Collaboration Conference. At the conference website http://www.cloudstackcollab.org/sponsors some of our sponsors will explain you the benefits in a video message. If you’d like to see the sponsorship prospectus or ask about sponsoring, contact sponsors@cloudstackcollab.org.

We’re very pleased to invite the community to Amsterdam and we hope you’ll join us! See you in Amsterdam!

Thursday Jul 25, 2013

Apache CloudStack Weekly News - 24 July 2013

Welcome back to another exciting issue of the Apache CloudStack Weekly News. This week, we take a look at the progress towards 4.2.0, major discussions on the Apache CloudStack mailing lists, and much more.

[Read More]

Thursday Jul 11, 2013

CloudStack Weekly News - 10 July 2013

The community is busy working on 4.2.0, and there's much to be done before the release is ready. This week, we're taking a look at some of the interesting discussions going on in the the community about the next generation of Apache CloudStack, and functionality we can provide, as well as procedural changes that everyone should be aware of.

[Read More]

Tuesday Jul 02, 2013

Apache CloudStack Weekly News - 1 July 2013

We are half way through the year and a lot of work is done, and lot more is yet to be done. This week we look back at some of the CloudStack Collaboration Conference, work continues on 4.1.1 and 4.2.0, and we have some interesting discussions on how we should release the CloudMonkey and Marvin tools used with CloudStack. There's a by-laws vote underway to look at how and where we decide non-technical issues, and some discussion on the best way to to discuss and do code reviews.

[Read More]

Tuesday Jun 18, 2013

Apache CloudStack Weekly News - 17 June 2013

It's been another busy week for the Apache CloudStack project. This week we welcome another new committer, work continues on 4.1.1 and 4.2.0, and we have some interesting discussions on how we should release the CloudMonkey and Marvin tools used with CloudStack. We've also seen a few interesting marketing discussions, and the community is gearing up for the second CloudStack Collaboration Conference taking place 23 June through 25 June in Santa Clara, CA.

[Read More]

Wednesday Jun 12, 2013

Apache CloudStack Weekly News - 10 June 2013

This week, we take a look at the 4.2.0 feature freeze pushback, the Apache CloudStack user survey, and new committers and PMC members for Apache CloudStack.

[Read More]

Tuesday May 28, 2013

4.1.0 VOTE in Progress: Testers Welcome!

The Apache CloudStack is very near to the 4.1.0 release, and as a result we’re conducting a vote on artifacts for the 4.1.0 release right now. Because we want to make sure we have the best possible release, we’d like to invite anyone who’s interested in CloudStack to take the current release candidate for a test drive. [Read More]

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation