The Apache CloudStack Blog

Thursday October 27, 2016

Apache CloudStack registerUserKeys authorization vulnerability

The CloudStack security team recently received notice of a significant vulnerability in a CloudStack API call - registerUserKeys. The original intention for this call was for it to only be exposed for integration work - eg not to the public network in general. A weakness in the API call's implementation allows a malicious user to reset the API keys for other users on the system, thus accessing resources and services available to that user. We have released CloudStack versions and with patches for this issue. More details about the release can be read on the official announcement post.

Some users may be protected from this weakness already, if they have configured their file to limit access to this api call from the integration API port, instead of general API port. This can be accomplished by setting registerUserKeys to 1.

Users of Apache CloudStack version 4.9 whom are using the dynamic roles feature can delete the "Allow" rule for "registerUserKeys" for each non-administrator role under the Roles/Rules section of the user interface.

This vulnerability was reported by Marc-Aurèle Brothier from Exoscale.


Congrats for the finding, Marc-Aurèle! Thanks for the contribution. I'm happy to see that SECURITY in not just a marketing argument from my Swiss Cloud provider. is taking care of my data : this is very important to me. Moreover, you are contributing to improve products : that is a good point for your company.

Posted by SebastienP on October 30, 2016 at 08:24 PM UTC #

Hi, It is very ice post, your blog is looking good. Keep going on.

Posted by camera 360 on November 01, 2016 at 08:26 AM UTC #

Nice catch Marc-Aurèle Brothier and thanks for sharing and keep going on .

Posted by Sadhu on November 16, 2016 at 09:43 AM UTC #

This was solved and that's great. thanks for your information.

Posted by Jio TV on January 20, 2017 at 03:32 AM UTC #

apache cloud secondary storage not working

Posted by shiju on January 24, 2017 at 05:13 AM UTC #

works now.

Posted by carlogos on May 17, 2017 at 09:37 AM UTC #


Posted by javascript obfuscator on July 03, 2017 at 04:02 AM UTC #

Your blog website provided us with useful information to execute with. Each & every recommendations of your website are awesome. Thanks a lot for talking about.

Posted by satta matka on January 13, 2018 at 03:38 PM UTC #

Post a Comment:
Comments are closed for this entry.



Hot Blogs (today's hits)

Tag Cloud