The Apache CloudStack Blog
[CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access
Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Bypass
Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N)
The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted.
Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.
This issue was identified by the Cloud team at Schuberg Philis
Posted at 02:00PM Jan 10, 2014 by ke4qqq in News | |