cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From esander...@hushmail.com
Subject Re: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
Date Tue, 09 Dec 2014 23:06:57 GMT
Ha! Sorry.. I got your last name confused with UK side and Geoff/Giles
filled in that hole../me smack..ha

On 12/9/2014 at 5:03 PM, "Daan Hoogland"  wrote:I am not working for
ShapeBlue, Eric nor for Citrix, but they both
help out a lot, yes.

On Tue, Dec 9, 2014 at 11:56 PM,   wrote:
> Daan,
> Thank you for your insight on this matter.
> I have seen on occasion that Citrix comes in and helps out.  You
guys
> (shapeblue) have definitely been contributing to this forum a whole
> lot and for that I appreciate it.
> thank you againeric
>
> On 12/9/2014 at 4:49 PM, "Daan Hoogland"  wrote:Eric, the bug was
> fixed by A Citrix employee from India and it was
> reported by Citrix in California. All ShapeBlue has done was include
> it in its packaging after it was contributed t the Apche CloudStack
> repository. So I would say Citrix' contribution to this is
> instrumental and fundamental.
> kind regards,
> Daan (working for neither ShapeBlue or Citrix, yet grateful to both)
>
> On Tue, Dec 9, 2014 at 5:26 PM,   wrote:
>> Good evening,
>> Just asking about the group.
>> If it wasn't for shapeblue; what other user/body in the cloudstack
>> community would resolve this quickly?  How much is Citrix even
> helping
>> out anymore?
>> thank youEric
>>
>> On 12/9/2014 at 3:40 AM, "Rohit Yadav"  wrote:ShapeBlue has created
> a
>> patch that fixes this issue for Apache CloudStack 4.3.1 users, it
>> available from their “main” deb/rpm repository. ShapeBlue has
> also
>> published Apache CloudStack 4.4.2 debs/rpms on their main and
> upstream
>> repositories.
>>
>> Repository: http://shapeblue.com/packages
>> Release notes:
>>
>
https://github.com/shapeblue/cloudstack/wiki/Apache-CloudStack-4.3.1-ShapeBlue-Patch02
>> Source tag 4.3.1-shapeblue-02:
>>
>
https://github.com/shapeblue/cloudstack/releases/tag/shapeblue-4.3.1-02
>>
>> Regards.
>>
>>> On 09-Dec-2014, at 1:41 am, John Kinsella  wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds
>>>
>>> CVSS:
>>> 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
>>>
>>> Vendors:
>>> The Apache Software Foundation
>>> Citrix, Inc.
>>>
>>> Versions Afffected:
>>> Apache CloudStack 4.3, 4.4
>>>
>>> Description:
>>> Apache CloudStack may be configured to authenticate LDAP users.
>>> When so configured, it performs a simple LDAP bind with the name
>>> and password provided by a user.  Simple LDAP binds are defined
>>> with three mechanisms (RFC 4513): 1) username and password; 2)
>>> unauthenticated if only a username is specified; and 3) anonymous
>>> if neither username or password is specified.  Currently, Apache
>>> CloudStack does not check if the password was provided which could
>>> allow an attacker to bind as an unauthenticated user.
>>>
>>> Mitigation:
>>> Users of Apache CloudStack 4.4 and derivatives should update to
the
>>> latest version (4.4.2)
>>>
>>> An updated release for Apache CloudStack 4.3.2 is in testing.
Until
>>> that is released, we recommend following the mitigation below:
>>>
>>> By default, many LDAP servers are not configured to allow
>> unauthenticated
>>> binds.  If the LDAP server in use allow this behaviour, a
potential
>>> interim solution would be to consider disabling unauthenticated
>>> binds.
>>>
>>> Credit:
>>> This issue was identified by the Citrix Security Team.
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT
>>> 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF
>>> Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2
>>> vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m
>>> 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2
>>> fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ
>>> Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+
>>> AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6
>>> tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0
>>> LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT
>>> RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml
>>> 03DX+ot4Xan0P5HXPT+r
>>> =QqOf
>>> -----END PGP SIGNATURE-----
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>> Find out more about ShapeBlue and our range of CloudStack related
>> services
>>
>> IaaS Cloud Design & Build
>> CSForge – rapid IaaS deployment framework
>> CloudStack Consulting
>> CloudStack Software Engineering
>> CloudStack Infrastructure Support
>> CloudStack Bootcamp Training Courses
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is
> addressed.
>> Any views or opinions expressed are solely those of the author and
> do
>> not necessarily represent those of Shape Blue Ltd or related
>> companies. If you are not the intended recipient of this email, you
>> must neither take any action based upon its contents, nor copy or
> show
>> it to anyone. Please contact the sender if you believe you have
>> received this email in error. Shape Blue Ltd is a company
> incorporated
>> in England & Wales. ShapeBlue Services India LLP is a company
>> incorporated in India and is operated under license from Shape Blue
>> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in
>> Brasil and is operated under license from Shape Blue Ltd. ShapeBlue
> SA
>> Pty Ltd is a company registered by The Republic of South Africa and
> is
>> traded under license from Shape Blue Ltd. ShapeBlue is a registered
>> trademark.
> --
> Daan
-- 
Daan
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message