Entries tagged [security]

Wednesday Apr 09, 2014

How to Mitigate OpenSSL HeartBleed Vulnerability in Apache CloudStack

OpenSSL is an important part of Apache CloudStack. In light of the recent "HeartBleed" vulnerability disclosure, we are providing instructions on how to mitigate the vulnerability in your infrastructure.[Read More]

Tuesday Mar 25, 2014

Realhostip Service is Being Retired

Recently the Apache CloudStack PMC was informed that the realhostip.com Dynamic DNS service that CloudStack currently uses as part of the console proxy will be disbanded this summer. The realhostip service will be shut down June 30th, 2014, meaning users have approximately 3 months to mitigate this.

Prior to version 4.3, CloudStack used the realhostip.com service by default. With the release of CloudStack version 4.3 the default communication method with the console proxy is plaintext HTTP.

Who is Affected

CloudStack installations prior to version 4.3 that have not been reconfigured to use a DNS domain other than realhostip.com for Console Proxy or Secondary Storage must make changes to continue functioning past June 30th, 2014.

Steps You Need to Take

If you meet the criteria above, there are several options to prepare for realhostip retirement:

  • Set up wildcard SSL certificate and DNS entries: This method is already well supported within prior versions of CloudStack.
  • Upgrade to CloudStack 4.3 and disable SSL: This is only recommended for development installations, or private clouds that contain no information of importance.
  • Upgrade to CloudStack 4.3, set up static SSL certificate and configure load balancer to point to the correct IP address: While this allows an administrator to skip setting up the DNS entries from the previous option, it is a more advanced option as CloudStack 4.3 does not support automatic load balancer configuration for the Console Proxy. It is hoped this functionality will be available in future releases.

For instructions on how to set up SSL encryption for use with CloudStack console proxy, please read the console proxy section of the CloudStack administration guide.

Additionally, if you will be using an SSL vendor who requires an intermediate CA chain to be installed for proper SSL validation by web browsers, detailed instructions for configuring the intermediate CA chain in CloudStack can be found here.

The Apache CloudStack security team does not recommend running a production cloud with either the realhostip.com SSL certificate, or with no SSL encryption at all.

Friday Jan 10, 2014

[CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Bypass
Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5263

Credit:

This issue was identified by the Cloud team at Schuberg Philis

[CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Information Disclosure
Vulnerable Versions: Apache CloudStack 4.2.0
CVE References: CVE-2014-0031
Risk Level: Low
CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5145

Credit:

This issue was identified by Marcus Sorensen

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation