cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@apache.org>
Subject CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability
Date Thu, 27 Oct 2016 14:25:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability

CVSS v3:
9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L)

Vendors:
The Apache Software Foundation
Accelerite, Inc

Versions affected:
CloudStack versions 4.1 and newer are affected by this issue.

Description:
Apache CloudStack contains an API call[1] designed to allow a user
to register for the developer API.  If a malicious user is able to
determine the ID of another (non-"root") CloudStack user, the
malicious user may be able to reset the API keys for the other user,
in turn accessing their account and resources.

Mitigation:
Some users may be protected from this weakness already, if they
have configured their commands.properties file to limit access to
this api call from the integration API port, instead of general API
port. This can be accomplished by setting registerUserKeys to 1.

Users of Apache CloudStack version 4.9 whom are using the dynamic
roles feature can delete the "Allow" rule for "registerUserKeys"
for each non-administrator role under the Roles/Rules section of
the user interface.

Alternately, users of Apache CloudStack should upgrade to one of
the following versions, based on which release they are currently
using: 4.8.1.1, or 4.9.0.1. These versions contain only security
updates, and no other functionality change. Full details about the
security releases can be found at [2]

Credit:
This vulnerability was reported by Marc-Aurèle Brothier from Exoscale.

1: https://cloudstack.apache.org/api/apidocs-4.8/user/registerUserKeys.html
2: https://s.apache.org/qV5l
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJYEg0wAAoJEOom9N0pCN7SK2kP/jnhxB4u1wUaf32N2EWVbPur
uv1CarrwkV7XDlmlmcBn2G7uitPO6hbDMf9z+ZB55d5pnc5EwMluUltWjwsa2ixm
aMkqepr1wNIKZkJkPo8dlpoEHtqzv3WiY4i18TS7kUV8cjUuWe0UHB3Tj4QSSTAF
CbuQhl3+xJ5S0aU2LV5buHrhbbPCpTBzK5p2NFP2Bq1YEjdh1vsXpeoJM1miKyb+
/gTt79SNDbTRmoy5zp2dtJ10nZFxW04gEAjGyV8JJlhDJhgQo3F9zVKbyIbGcDJ6
ZFJkl90EptO/ebePJ9LmV3uLYUMm21DzfcF/b2TwzaOmvIpVou0dSqqGBBsgiGbl
OFm/7YRTbBDS6w5tFtUXta4LWWEBr3tyirB2X+Qi5Ctqw5HJSmhL2yyiPYtKKKpx
pp3tOQw5oho/Qkm0Xt0ClpHfF+K5ndGWw7gbpwPdF+XpsCPciuM7LhhI1db67Azu
eY9O69fY4daX4QsppT+cBX1Yc47ZTwHJvVCSvUQLr7KHBuxCF62S52i92bknE06F
WsRlNZT8HzBMI82PImVLCreO0Eh7QgouWsDoadqeCGQw97FBXF3aLkSji90hLy6y
DO6ucUKqRwtGP9orhCB7fsK4SKFYCy4xwIUMPxY3SHahiruZEV/II8GrptyOWWLV
0K9uAQryK2GZ3Nmml1r4
=o0kf
-----END PGP SIGNATURE-----

Mime
View raw message