cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
Date Tue, 09 Dec 2014 22:56:49 GMT
Thank you for your insight on this matter.
I have seen on occasion that Citrix comes in and helps out.  You guys
(shapeblue) have definitely been contributing to this forum a whole
lot and for that I appreciate it.
thank you againeric

On 12/9/2014 at 4:49 PM, "Daan Hoogland"  wrote:Eric, the bug was
fixed by A Citrix employee from India and it was
reported by Citrix in California. All ShapeBlue has done was include
it in its packaging after it was contributed t the Apche CloudStack
repository. So I would say Citrix' contribution to this is
instrumental and fundamental.
kind regards,
Daan (working for neither ShapeBlue or Citrix, yet grateful to both)

On Tue, Dec 9, 2014 at 5:26 PM,   wrote:
> Good evening,
> Just asking about the group.
> If it wasn't for shapeblue; what other user/body in the cloudstack
> community would resolve this quickly?  How much is Citrix even
> out anymore?
> thank youEric
> On 12/9/2014 at 3:40 AM, "Rohit Yadav"  wrote:ShapeBlue has created
> patch that fixes this issue for Apache CloudStack 4.3.1 users, it
> available from their “main” deb/rpm repository. ShapeBlue has
> published Apache CloudStack 4.4.2 debs/rpms on their main and
> repositories.
> Repository:
> Release notes:
> Source tag 4.3.1-shapeblue-02:
> Regards.
>> On 09-Dec-2014, at 1:41 am, John Kinsella  wrote:
>> Hash: SHA512
>> CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds
>> CVSS:
>> 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
>> Vendors:
>> The Apache Software Foundation
>> Citrix, Inc.
>> Versions Afffected:
>> Apache CloudStack 4.3, 4.4
>> Description:
>> Apache CloudStack may be configured to authenticate LDAP users.
>> When so configured, it performs a simple LDAP bind with the name
>> and password provided by a user.  Simple LDAP binds are defined
>> with three mechanisms (RFC 4513): 1) username and password; 2)
>> unauthenticated if only a username is specified; and 3) anonymous
>> if neither username or password is specified.  Currently, Apache
>> CloudStack does not check if the password was provided which could
>> allow an attacker to bind as an unauthenticated user.
>> Mitigation:
>> Users of Apache CloudStack 4.4 and derivatives should update to the
>> latest version (4.4.2)
>> An updated release for Apache CloudStack 4.3.2 is in testing. Until
>> that is released, we recommend following the mitigation below:
>> By default, many LDAP servers are not configured to allow
> unauthenticated
>> binds.  If the LDAP server in use allow this behaviour, a potential
>> interim solution would be to consider disabling unauthenticated
>> binds.
>> Credit:
>> This issue was identified by the Citrix Security Team.
>> Version: GnuPG v1
>> Comment: GPGTools -
>> 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF
>> Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2
>> vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m
>> 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2
>> fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ
>> Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+
>> AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6
>> tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0
>> LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT
>> RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml
>> 03DX+ot4Xan0P5HXPT+r
>> =QqOf
>> -----END PGP SIGNATURE-----
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 |
> Blog: | Twitter: @_bhaisaab
> Find out more about ShapeBlue and our range of CloudStack related
> services
> IaaS Cloud Design & Build
> CSForge – rapid IaaS deployment framework
> CloudStack Consulting
> CloudStack Software Engineering
> CloudStack Infrastructure Support
> CloudStack Bootcamp Training Courses
> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is
> Any views or opinions expressed are solely those of the author and
> not necessarily represent those of Shape Blue Ltd or related
> companies. If you are not the intended recipient of this email, you
> must neither take any action based upon its contents, nor copy or
> it to anyone. Please contact the sender if you believe you have
> received this email in error. Shape Blue Ltd is a company
> in England & Wales. ShapeBlue Services India LLP is a company
> incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
> Brasil and is operated under license from Shape Blue Ltd. ShapeBlue
> Pty Ltd is a company registered by The Republic of South Africa and
> traded under license from Shape Blue Ltd. ShapeBlue is a registered
> trademark.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message