Entries tagged [cloudstack]
Apache CloudStack registerUserKeys authorization vulnerability
The CloudStack security team recently received notice of a significant vulnerability in a CloudStack API call - registerUserKeys. The original intention for this call was for it to only be exposed for integration work - eg not to the public network in general. A weakness in the API call's implementation allows a malicious user to reset the API keys for other users on the system, thus accessing resources and services available to that user. We have released CloudStack versions 126.96.36.199 and 188.8.131.52 with patches for this issue. More details about the release can be read on the official announcement post.
Some users may be protected from this weakness already, if they have configured their commands.properties file to limit access to this api call from the integration API port, instead of general API port. This can be accomplished by setting registerUserKeys to 1.
Users of Apache CloudStack version 4.9 whom are using the dynamic roles feature can delete the "Allow" rule for "registerUserKeys" for each non-administrator role under the Roles/Rules section of the user interface.Credit:
This vulnerability was reported by Marc-Aurèle Brothier from Exoscale.
The Apache CloudStack Project Announces Apache™ CloudMonkey™ v5.3.0
The Apache CloudStack project is pleased to announce the 5.3.0 release of CloudMonkey, the command line interface tool for Apache CloudStack configuration and management.[Read More]
Announcing Apache™ CloudStack™ v4.4.1
The Apache CloudStack project is pleased to announce the 4.4.1 release of CloudStack, turnkey Open Source cloud computing software platform used for creating private-, public-, and hybrid cloud environments.[Read More]
Announcing the CloudStack Collaboration Conference - Europe
With two very successful events in the United Stated we know it is time to bring this conference to Europe. This time we’re gathering the community in The Netherlands. More specific, right in the center of Amsterdam in one of its historical landmarks, the Beurs van Berlage.
Starting November 20th with a hack day and continuing with a two day conference, this will be your opportunity to dive into all things CloudStack. Meet the community, discuss new ideas and learn about existing and upcoming features. We have setup the conference to provide an exciting environment to participate in workshops, attend presentations or just sit back and have a drink with other CloudStack enthusiasts.
The Call for Papers is open right now, so send your abstract to email@example.com. If it’s relevant to Apache CloudStack development, deployment, and integration, we’re interested in what you might have to say. We can accommodate workshops, hack sessions, presentation and we want to work with you to make sure you can share what you want with the community. Check the website for more details, http://www.cloudstackcollab.org/call-for-papers
The conference website http://www.cloudstackcollab.org will be regularly updated with new content to keep you informed about the conference. Please check it regularly to be informed about the latest developments regarding the CloudStack Collaboration Conference Europe.
The Call for Papers will run from today (August 16th) to September 30th. We will send out notifications shortly after closing the the Call for Papers.
The Conference Hack Day will be November 20th
The Conference talks and planned sessions begin on November 21th
The Conference ends on November 22th
We will announce the registration in a short while, please keep an eye on the website http://www.cloudstackcollab.org/ for more details.
The conference will be at the Beurs van Berlage in Amsterdam, The Netherlands. Located in the city center it is close to quite a number of hotels and hostels in Amsterdam. We are looking at the possibility to make a deal with one of the hotels in the immediate vicinity of the conference location. We will update the conference website when we have the details.
Sponsoring opportunities are available for the CloudStack Collaboration Conference. At the conference website http://www.cloudstackcollab.org/sponsors some of our sponsors will explain you the benefits in a video message. If you’d like to see the sponsorship prospectus or ask about sponsoring, contact firstname.lastname@example.org.
We’re very pleased to invite the community to Amsterdam and we hope you’ll join us! See you in Amsterdam!
Apache CloudStack Weekly News - 17 June 2013
It's been another busy week for the Apache CloudStack project. This week we welcome another new committer, work continues on 4.1.1 and 4.2.0, and we have some interesting discussions on how we should release the CloudMonkey and Marvin tools used with CloudStack. We've also seen a few interesting marketing discussions, and the community is gearing up for the second CloudStack Collaboration Conference taking place 23 June through 25 June in Santa Clara, CA.[Read More]
4.1.0 VOTE in Progress: Testers Welcome!
The Apache CloudStack is very near to the 4.1.0 release, and as a result we’re conducting a vote on artifacts for the 4.1.0 release right now. Because we want to make sure we have the best possible release, we’d like to invite anyone who’s interested in CloudStack to take the current release candidate for a test drive. [Read More]
Apache CloudStack Weekly News - 4 March 2013
This week, a vote on updating the project bylaws, fixing the "Tomcat situation" after 4.1, and discussions around the support lifecycle. Some respectable progress in knocking out major and blocker bugs for 4.1.0 as well. The project also welcomes two new PPMC members and three new committers.[Read More]
Apache Cloudstack Weekly News - 25 February 2013
This week, interesting discussions on the Java version(s) to be supported by CloudStack, updates on translation, and database changes. Also discussion on the next CloudStack Collaboration Conference, and more. Work on 4.1.0 continues, and there's much to be done before it's ready to ship.[Read More]
Apache CloudStack 4.0.1-incubating Released
The Apache CloudStack project is pleased to announce the 4.0.1-incubating release of the CloudStack Infrastructure-as-a-Service (IaaS) cloud orchestration platform. This is a minor release in the 4.0.0 branch, which contains fixes for more than 30 bugs.[Read More]
Apache CloudStack Weekly News - 11 February 2013
In the past week, the 4.0.1-incubating release passed its VOTE on the email@example.com list, work continued on 4.1.0, and there were active discussions on using Gerrit, cloud-init, and whether memory usage has increased following the adoption of the Spring framework.[Read More]
Apache CloudStack Weekly News - 4 February 2013
Another busy week in Apache CloudStack land! Javelin has been merged with master, the 4.1 branch has been created, and the 4.0.1-incubating release has passed its second round vote to go on to the IPMC vote.[Read More]
Apache CloudStack Weekly News - 28 January 2013
As the 4.1.0 feature freeze approaches, the mailing list has been extremely active. The activity on -dev is off the charts, with (according to MarkMail) more than 4,400 messages sent to -dev in January - and the month isn't over yet! This eclipses the previous record set in October 2012 of 3,109 messages. Major discussions this week include the Javelin merge and IP clearance issues.[Read More]
Apache CloudStack Weekly News - 21 January 2013
As usual, a lot of activity on the -dev mailing list. Several VOTEs this week around features donated by Citrix, and quite a few upcoming events. Speaking of events, videos from the CloudStack Collaboration Conference are up on YouTube![Read More]