cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <>
Subject Re: Patched 4.3.1 SystemVMs (was Re: git commit: updated refs/heads/master to 88acc9b)
Date Tue, 04 Nov 2014 08:31:56 GMT

> On 04-Nov-2014, at 1:49 pm, Santhosh Edukulla <> wrote:
> 2. The conf file changes done will not countermeasure the sytemplate vuln issue i believe,
we may still wanted to confirm that its indeed the httpd.conf which needs to be changed for
apache2 as well for the particular template fix.

AFAIK, on SSVM apache2 runs to serve templates/iso/volumes which users download and it uses
443/https and uses a custom SSL certificate if uploaded. If SSL is not enabled then it does
not apply.

In case of CPVM, the Java based agent uses an in-memory SSL keystore (that mgmt server sends
it when it starts) and it implements its own Java based webservice that serves the console
proxy over 443/https, again if SSL is enabled and a SSL certificate was uploaded.

In both cases, if SSL is not enabled (global settings) for SSVM/CPVM these SSL based attacks
don’t apply. Other than these components, it’s the ACS mgmt server (tomcat) or the reverse-proxy/LB
in front of it that needs to be fixed either in the server.xml file or in respective reverse-proxy
(such as nginx) or the LB (netscaler etc). I’m only aware of these components prone to SSL
attacks. If there are other areas, we should find and fix them.

Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 |
Blog: | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<>
CSForge – rapid IaaS deployment framework<>
CloudStack Consulting<>
CloudStack Infrastructure Support<>
CloudStack Bootcamp Training Courses<>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

View raw message