Return-Path: 
 <dev-return-67916-apmail-cloudstack-dev-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-dev-archive@www.apache.org
Delivered-To: apmail-cloudstack-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 7C07E9613
	for <apmail-cloudstack-dev-archive@www.apache.org>;
 Tue,  9 Dec 2014 09:41:05 +0000 (UTC)
Received: (qmail 46952 invoked by uid 500); 9 Dec 2014 09:41:05 -0000
Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org
Received: (qmail 46901 invoked by uid 500); 9 Dec 2014 09:41:05 -0000
Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:dev@cloudstack.apache.org>
List-Id: <dev.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list dev@cloudstack.apache.org
Received: (qmail 46890 invoked by uid 99); 9 Dec 2014 09:41:04 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Dec 2014 09:41:04 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of rohit.yadav@shapeblue.com
 designates 157.55.234.131 as permitted sender)
Received: from [157.55.234.131] (HELO
 emea01-db3-obe.outbound.protection.outlook.com) (157.55.234.131)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Dec 2014 09:40:38 +0000
Received: from DBXPR07MB480.eurprd07.prod.outlook.com (10.141.231.154) by
 DBXPR07MB480.eurprd07.prod.outlook.com (10.141.231.154) with Microsoft SMTP
 Server (TLS) id 15.1.31.17; Tue, 9 Dec 2014 09:39:23 +0000
Received: from DBXPR07MB480.eurprd07.prod.outlook.com ([10.141.231.154]) by
 DBXPR07MB480.eurprd07.prod.outlook.com ([10.141.231.154]) with mapi id
 15.01.0031.000; Tue, 9 Dec 2014 09:39:23 +0000
From: Rohit Yadav <rohit.yadav@shapeblue.com>
To: "dev@cloudstack.apache.org" <dev@cloudstack.apache.org>
Subject: Re: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
Thread-Topic: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
Thread-Index: AQHQEyMZkfm4rTWX0kq7yrWPourJFZyHAb8A
Date: Tue, 9 Dec 2014 09:39:23 +0000
Message-ID: <D25132DC-2F42-4D50-910E-345606AB40FF@shapeblue.com>
References: <97C015F9-93B6-4E1C-9757-264C72B9676B@stratosec.co>
In-Reply-To: <97C015F9-93B6-4E1C-9757-264C72B9676B@stratosec.co>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-mailer: Apple Mail (2.1990.1)
x-originating-ip: [122.161.253.251]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR07MB480;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR07MB480;
x-forefront-prvs: 0420213CCD
x-forefront-antispam-report: 
 SFV:NSPM;SFS:(10019020)(6009001)(199003)(15584002)(377454003)(13734003)(51704005)(15594002)(50944004)(189002)(24454002)(46102003)(50226001)(76176999)(50986999)(33656002)(110136001)(101416001)(36756003)(16601075003)(107886001)(4396001)(15395725005)(2351001)(1720100001)(66066001)(105586002)(106116001)(575784001)(92566001)(107046002)(86362001)(83716003)(21056001)(99396003)(97736003)(106356001)(31966008)(64706001)(20776003)(120916001)(2501002)(82746002)(230783001)(57306001)(68736005)(102836002)(19580395003)(19580405001)(77096005)(551544002)(15975445007)(122556002)(87936001)(77156002)(89996001)(2656002)(62966003)(450100001)(40100003)(104396002);DIR:OUT;SFP:1102;SCL:1;SRVR:DBXPR07MB480;H:DBXPR07MB480.eurprd07.prod.outlook.com;FPR:;SPF:None;MLV:sfv;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <FD67A2724BD1D645A297F2C7A6BC85C7@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: shapeblue.com
X-Virus-Checked: Checked by ClamAV on apache.org

U2hhcGVCbHVlIGhhcyBjcmVhdGVkIGEgcGF0Y2ggdGhhdCBmaXhlcyB0aGlzIGlzc3VlIGZvciBB
cGFjaGUgQ2xvdWRTdGFjayA0LjMuMSB1c2VycywgaXQgYXZhaWxhYmxlIGZyb20gdGhlaXIg4oCc
bWFpbuKAnSBkZWIvcnBtIHJlcG9zaXRvcnkuIFNoYXBlQmx1ZSBoYXMgYWxzbyBwdWJsaXNoZWQg
QXBhY2hlIENsb3VkU3RhY2sgNC40LjIgZGVicy9ycG1zIG9uIHRoZWlyIG1haW4gYW5kIHVwc3Ry
ZWFtIHJlcG9zaXRvcmllcy4NCg0KUmVwb3NpdG9yeTogaHR0cDovL3NoYXBlYmx1ZS5jb20vcGFj
a2FnZXMNClJlbGVhc2Ugbm90ZXM6IGh0dHBzOi8vZ2l0aHViLmNvbS9zaGFwZWJsdWUvY2xvdWRz
dGFjay93aWtpL0FwYWNoZS1DbG91ZFN0YWNrLTQuMy4xLVNoYXBlQmx1ZS1QYXRjaDAyDQpTb3Vy
Y2UgdGFnIDQuMy4xLXNoYXBlYmx1ZS0wMjogaHR0cHM6Ly9naXRodWIuY29tL3NoYXBlYmx1ZS9j
bG91ZHN0YWNrL3JlbGVhc2VzL3RhZy9zaGFwZWJsdWUtNC4zLjEtMDINCg0KUmVnYXJkcy4NCg0K
PiBPbiAwOS1EZWMtMjAxNCwgYXQgMTo0MSBhbSwgSm9obiBLaW5zZWxsYSA8amxrQHN0cmF0b3Nl
Yy5jbz4gd3JvdGU6DQo+DQo+IC0tLS0tQkVHSU4gUEdQIFNJR05FRCBNRVNTQUdFLS0tLS0NCj4g
SGFzaDogU0hBNTEyDQo+DQo+IENWRS0yMDE0LTc4MDc6IEFwYWNoZSBDbG91ZFN0YWNrIHVuYXV0
aGVudGljYXRlZCBMREFQIGJpbmRzDQo+DQo+IENWU1M6DQo+IDcuNSwgQVY6Ti9BQzpML0F1Ok4v
QzpQL0k6UC9BOlANCj4NCj4gVmVuZG9yczoNCj4gVGhlIEFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0
aW9uDQo+IENpdHJpeCwgSW5jLg0KPg0KPiBWZXJzaW9ucyBBZmZmZWN0ZWQ6DQo+IEFwYWNoZSBD
bG91ZFN0YWNrIDQuMywgNC40DQo+DQo+IERlc2NyaXB0aW9uOg0KPiBBcGFjaGUgQ2xvdWRTdGFj
ayBtYXkgYmUgY29uZmlndXJlZCB0byBhdXRoZW50aWNhdGUgTERBUCB1c2Vycy4NCj4gV2hlbiBz
byBjb25maWd1cmVkLCBpdCBwZXJmb3JtcyBhIHNpbXBsZSBMREFQIGJpbmQgd2l0aCB0aGUgbmFt
ZQ0KPiBhbmQgcGFzc3dvcmQgcHJvdmlkZWQgYnkgYSB1c2VyLiAgU2ltcGxlIExEQVAgYmluZHMg
YXJlIGRlZmluZWQNCj4gd2l0aCB0aHJlZSBtZWNoYW5pc21zIChSRkMgNDUxMyk6IDEpIHVzZXJu
YW1lIGFuZCBwYXNzd29yZDsgMikNCj4gdW5hdXRoZW50aWNhdGVkIGlmIG9ubHkgYSB1c2VybmFt
ZSBpcyBzcGVjaWZpZWQ7IGFuZCAzKSBhbm9ueW1vdXMNCj4gaWYgbmVpdGhlciB1c2VybmFtZSBv
ciBwYXNzd29yZCBpcyBzcGVjaWZpZWQuICBDdXJyZW50bHksIEFwYWNoZQ0KPiBDbG91ZFN0YWNr
IGRvZXMgbm90IGNoZWNrIGlmIHRoZSBwYXNzd29yZCB3YXMgcHJvdmlkZWQgd2hpY2ggY291bGQN
Cj4gYWxsb3cgYW4gYXR0YWNrZXIgdG8gYmluZCBhcyBhbiB1bmF1dGhlbnRpY2F0ZWQgdXNlci4N
Cj4NCj4gTWl0aWdhdGlvbjoNCj4gVXNlcnMgb2YgQXBhY2hlIENsb3VkU3RhY2sgNC40IGFuZCBk
ZXJpdmF0aXZlcyBzaG91bGQgdXBkYXRlIHRvIHRoZQ0KPiBsYXRlc3QgdmVyc2lvbiAoNC40LjIp
DQo+DQo+IEFuIHVwZGF0ZWQgcmVsZWFzZSBmb3IgQXBhY2hlIENsb3VkU3RhY2sgNC4zLjIgaXMg
aW4gdGVzdGluZy4gVW50aWwNCj4gdGhhdCBpcyByZWxlYXNlZCwgd2UgcmVjb21tZW5kIGZvbGxv
d2luZyB0aGUgbWl0aWdhdGlvbiBiZWxvdzoNCj4NCj4gQnkgZGVmYXVsdCwgbWFueSBMREFQIHNl
cnZlcnMgYXJlIG5vdCBjb25maWd1cmVkIHRvIGFsbG93IHVuYXV0aGVudGljYXRlZA0KPiBiaW5k
cy4gIElmIHRoZSBMREFQIHNlcnZlciBpbiB1c2UgYWxsb3cgdGhpcyBiZWhhdmlvdXIsIGEgcG90
ZW50aWFsDQo+IGludGVyaW0gc29sdXRpb24gd291bGQgYmUgdG8gY29uc2lkZXIgZGlzYWJsaW5n
IHVuYXV0aGVudGljYXRlZA0KPiBiaW5kcy4NCj4NCj4gQ3JlZGl0Og0KPiBUaGlzIGlzc3VlIHdh
cyBpZGVudGlmaWVkIGJ5IHRoZSBDaXRyaXggU2VjdXJpdHkgVGVhbS4NCj4gLS0tLS1CRUdJTiBQ
R1AgU0lHTkFUVVJFLS0tLS0NCj4gVmVyc2lvbjogR251UEcgdjENCj4gQ29tbWVudDogR1BHVG9v
bHMgLSBodHRwOi8vZ3BndG9vbHMub3JnDQo+DQo+IGlRSWNCQUVCQ2dBR0JRSlVoZ1VDQUFvSkVP
b205TjBwQ043U09RTVFBS3lCdWhnMjV1M0ZjVk9VNVhNZEdHcFQNCj4gMmtTVkZvTEZSNzRPYkk4
YmRyM0hQKzJMZExmL0dvOVFCQnJXbFowMzRGVWo2T1YwQ3Q1bzhUTkI2QUhidjBxRg0KPiBBcjRO
MDVKb0d0UGFEQ2U5c1dWLyt5a09KSDhzblFqbll3VkZyTFpsTHc4WS9KVVErSTF5SkJrc3c4YTIv
aFQyDQo+IHZtWWdZaUFReXJFTU1rNGJoQkJsRXlhSkZNaHVNdEt0Z1VxTERXOHdtbGhrdDJhY1pN
dC8wQkt4RHdBTzhvN20NCj4gNnlwZXBQQ21rUEhVcEQ1MHRmY0NJK0s0aWIvQzVFT240MG40b3JN
OTcvSkhaTHNDeWh6NW5rMzZlUU1PUVF6Mg0KPiBmSmxhQTA0ZlFTVjRDdjdjK1MwTFBoNWU0ZTZU
UFNyT1czTzQvVjJka2pLL0dnUDhrVW9vN2l2eWpJdzZkMm9KDQo+IFo1dnFxZ3hybWd3RGpINThZ
ZlZ1M3R5VnVEbE9GVFpmQ0xraGRvWE14SGZNTFlZS2VYa2ZmUmxpOVhhYnhyRSsNCj4gQWtWb1hh
UUF1bWY4SXpUTFZTUXp0VjE4akM3OWt2RWVDVjBwRllPamIvWC9nU2hlbXJ1cW1DV1ZEdWxqMWF4
Ng0KPiB0em9QK0JtMm1RUnlyUkNsWTM3UitxM2NRMno2ZU5BQy92QW9ZemhZQk4xbzYzTVluZUxZ
REFEaHlFNllJR3owDQo+IExUYkRER0ZuMFdWZEZEcnF3b3JIZFlESU1XN0hRRk1OdHNRdXVlZVA3
TEJsZHNneVRtam1CTXArUzNUcTI3VVQNCj4gUmFWZ3AzbjlaVVBkemovaTF2dkpCckFUS1VObXYx
R0RveStDMUdQTng0MjNuRU9lN2RGa01KQVJsY2JmNVBtbA0KPiAwM0RYK290NFhhbjBQNUhYUFQr
cg0KPiA9UXFPZg0KPiAtLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0NCg0KUmVnYXJkcywNClJv
aGl0IFlhZGF2DQpTb2Z0d2FyZSBBcmNoaXRlY3QsIFNoYXBlQmx1ZQ0KTS4gKzkxIDg4IDI2MiAz
MDg5MiB8IHJvaGl0LnlhZGF2QHNoYXBlYmx1ZS5jb20NCkJsb2c6IGJoYWlzYWFiLm9yZyB8IFR3
aXR0ZXI6IEBfYmhhaXNhYWINCg0KDQoNCkZpbmQgb3V0IG1vcmUgYWJvdXQgU2hhcGVCbHVlIGFu
ZCBvdXIgcmFuZ2Ugb2YgQ2xvdWRTdGFjayByZWxhdGVkIHNlcnZpY2VzDQoNCklhYVMgQ2xvdWQg
RGVzaWduICYgQnVpbGQ8aHR0cDovL3NoYXBlYmx1ZS5jb20vaWFhcy1jbG91ZC1kZXNpZ24tYW5k
LWJ1aWxkLy8+DQpDU0ZvcmdlIOKAkyByYXBpZCBJYWFTIGRlcGxveW1lbnQgZnJhbWV3b3JrPGh0
dHA6Ly9zaGFwZWJsdWUuY29tL2NzZm9yZ2UvPg0KQ2xvdWRTdGFjayBDb25zdWx0aW5nPGh0dHA6
Ly9zaGFwZWJsdWUuY29tL2Nsb3Vkc3RhY2stY29uc3VsdGFuY3kvPg0KQ2xvdWRTdGFjayBTb2Z0
d2FyZSBFbmdpbmVlcmluZzxodHRwOi8vc2hhcGVibHVlLmNvbS9jbG91ZHN0YWNrLXNvZnR3YXJl
LWVuZ2luZWVyaW5nLz4NCkNsb3VkU3RhY2sgSW5mcmFzdHJ1Y3R1cmUgU3VwcG9ydDxodHRwOi8v
c2hhcGVibHVlLmNvbS9jbG91ZHN0YWNrLWluZnJhc3RydWN0dXJlLXN1cHBvcnQvPg0KQ2xvdWRT
dGFjayBCb290Y2FtcCBUcmFpbmluZyBDb3Vyc2VzPGh0dHA6Ly9zaGFwZWJsdWUuY29tL2Nsb3Vk
c3RhY2stdHJhaW5pbmcvPg0KDQpUaGlzIGVtYWlsIGFuZCBhbnkgYXR0YWNobWVudHMgdG8gaXQg
bWF5IGJlIGNvbmZpZGVudGlhbCBhbmQgYXJlIGludGVuZGVkIHNvbGVseSBmb3IgdGhlIHVzZSBv
ZiB0aGUgaW5kaXZpZHVhbCB0byB3aG9tIGl0IGlzIGFkZHJlc3NlZC4gQW55IHZpZXdzIG9yIG9w
aW5pb25zIGV4cHJlc3NlZCBhcmUgc29sZWx5IHRob3NlIG9mIHRoZSBhdXRob3IgYW5kIGRvIG5v
dCBuZWNlc3NhcmlseSByZXByZXNlbnQgdGhvc2Ugb2YgU2hhcGUgQmx1ZSBMdGQgb3IgcmVsYXRl
ZCBjb21wYW5pZXMuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQgb2YgdGhp
cyBlbWFpbCwgeW91IG11c3QgbmVpdGhlciB0YWtlIGFueSBhY3Rpb24gYmFzZWQgdXBvbiBpdHMg
Y29udGVudHMsIG5vciBjb3B5IG9yIHNob3cgaXQgdG8gYW55b25lLiBQbGVhc2UgY29udGFjdCB0
aGUgc2VuZGVyIGlmIHlvdSBiZWxpZXZlIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgZW1haWwgaW4g
ZXJyb3IuIFNoYXBlIEJsdWUgTHRkIGlzIGEgY29tcGFueSBpbmNvcnBvcmF0ZWQgaW4gRW5nbGFu
ZCAmIFdhbGVzLiBTaGFwZUJsdWUgU2VydmljZXMgSW5kaWEgTExQIGlzIGEgY29tcGFueSBpbmNv
cnBvcmF0ZWQgaW4gSW5kaWEgYW5kIGlzIG9wZXJhdGVkIHVuZGVyIGxpY2Vuc2UgZnJvbSBTaGFw
ZSBCbHVlIEx0ZC4gU2hhcGUgQmx1ZSBCcmFzaWwgQ29uc3VsdG9yaWEgTHRkYSBpcyBhIGNvbXBh
bnkgaW5jb3Jwb3JhdGVkIGluIEJyYXNpbCBhbmQgaXMgb3BlcmF0ZWQgdW5kZXIgbGljZW5zZSBm
cm9tIFNoYXBlIEJsdWUgTHRkLiBTaGFwZUJsdWUgU0EgUHR5IEx0ZCBpcyBhIGNvbXBhbnkgcmVn
aXN0ZXJlZCBieSBUaGUgUmVwdWJsaWMgb2YgU291dGggQWZyaWNhIGFuZCBpcyB0cmFkZWQgdW5k
ZXIgbGljZW5zZSBmcm9tIFNoYXBlIEJsdWUgTHRkLiBTaGFwZUJsdWUgaXMgYSByZWdpc3RlcmVk
IHRyYWRlbWFyay4NCg==