cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: [DISCUSS] Freezing master for 4.11
Date Tue, 16 Jan 2018 11:17:20 GMT
Hi Kristian,

Can you test and confirm that you can reproduce the issue with 4.11.0.0-rc1?


- Rohit

<https://cloudstack.apache.org>



________________________________
From: Kristian Liivak <kris@wavecom.ee>
Sent: Tuesday, January 16, 2018 4:10:17 PM
To: users
Cc: dev
Subject: Re: [DISCUSS] Freezing master for 4.11

Daan,

For us and i guess for many others public cloud and vps providers its very big hole.
Imagine that 10-20 chinese guys have made fraud orders and 10-20 vps are provisioned.
We dealing with fradulent orders daily basis.
Some time later abusers will get catch in the act and vpses will be terminated.
If your customer increase is considerable, most probably one or more ips will be given to
new customers during same day.
Newly created instances get then abusers keys and root passwords.
If new instance uses only keys, root password will be never changed.
Abusers need just log in with them old passwords and bitcoin mining or spamming will be started
again.
Some of smarter customers are able to connect dots and serviceprovider reputation will be
damaged seriously.


Lugupidamisega / Regards

Kristian Liivak

Tegevjuht / Executive director

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: kris@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.yadav@shapeblue.comĀ 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

----- Original Message -----
From: "Daan Hoogland" <daan.hoogland@gmail.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <dev@cloudstack.apache.org>
Sent: Monday, January 15, 2018 1:49:04 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

Kristian,



On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <kris@wavecom.ee> wrote:
>>
> ...



As for this one:

> Also there is major security hole. When instance is destroyd and expunged
>> > and new instance is created with old IP all old data is unaffected in VR
>> > New instance will get then old root password and  ssh key if they were
>> > present in VR
>>
> I don't see how this is a security issue. The user won't get in and
update the key and password to get in. No harm done or am I overlooking
something?


--
Daan
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message