cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
Date Tue, 09 Dec 2014 09:39:23 GMT
ShapeBlue has created a patch that fixes this issue for Apache CloudStack 4.3.1 users, it available
from their “main” deb/rpm repository. ShapeBlue has also published Apache CloudStack 4.4.2
debs/rpms on their main and upstream repositories.

Repository: http://shapeblue.com/packages
Release notes: https://github.com/shapeblue/cloudstack/wiki/Apache-CloudStack-4.3.1-ShapeBlue-Patch02
Source tag 4.3.1-shapeblue-02: https://github.com/shapeblue/cloudstack/releases/tag/shapeblue-4.3.1-02

Regards.

> On 09-Dec-2014, at 1:41 am, John Kinsella <jlk@stratosec.co> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds
>
> CVSS:
> 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
>
> Vendors:
> The Apache Software Foundation
> Citrix, Inc.
>
> Versions Afffected:
> Apache CloudStack 4.3, 4.4
>
> Description:
> Apache CloudStack may be configured to authenticate LDAP users.
> When so configured, it performs a simple LDAP bind with the name
> and password provided by a user.  Simple LDAP binds are defined
> with three mechanisms (RFC 4513): 1) username and password; 2)
> unauthenticated if only a username is specified; and 3) anonymous
> if neither username or password is specified.  Currently, Apache
> CloudStack does not check if the password was provided which could
> allow an attacker to bind as an unauthenticated user.
>
> Mitigation:
> Users of Apache CloudStack 4.4 and derivatives should update to the
> latest version (4.4.2)
>
> An updated release for Apache CloudStack 4.3.2 is in testing. Until
> that is released, we recommend following the mitigation below:
>
> By default, many LDAP servers are not configured to allow unauthenticated
> binds.  If the LDAP server in use allow this behaviour, a potential
> interim solution would be to consider disabling unauthenticated
> binds.
>
> Credit:
> This issue was identified by the Citrix Security Team.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT
> 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF
> Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2
> vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m
> 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2
> fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ
> Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+
> AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6
> tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0
> LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT
> RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml
> 03DX+ot4Xan0P5HXPT+r
> =QqOf
> -----END PGP SIGNATURE-----

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.
Mime
View raw message