cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daan Hoogland <daan.hoogl...@gmail.com>
Subject Re: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
Date Tue, 09 Dec 2014 22:46:55 GMT
Eric, the bug was fixed by A Citrix employee from India and it was
reported by Citrix in California. All ShapeBlue has done was include
it in its packaging after it was contributed t the Apche CloudStack
repository. So I would say Citrix' contribution to this is
instrumental and fundamental.


kind regards,
Daan (working for neither ShapeBlue or Citrix, yet grateful to both)

On Tue, Dec 9, 2014 at 5:26 PM,  <esanders83@hushmail.com> wrote:
> Good evening,
> Just asking about the group.
> If it wasn't for shapeblue; what other user/body in the cloudstack
> community would resolve this quickly?  How much is Citrix even helping
> out anymore?
> thank youEric
>
> On 12/9/2014 at 3:40 AM, "Rohit Yadav"  wrote:ShapeBlue has created a
> patch that fixes this issue for Apache CloudStack 4.3.1 users, it
> available from their “main” deb/rpm repository. ShapeBlue has also
> published Apache CloudStack 4.4.2 debs/rpms on their main and upstream
> repositories.
>
> Repository: http://shapeblue.com/packages
> Release notes:
> https://github.com/shapeblue/cloudstack/wiki/Apache-CloudStack-4.3.1-ShapeBlue-Patch02
> Source tag 4.3.1-shapeblue-02:
> https://github.com/shapeblue/cloudstack/releases/tag/shapeblue-4.3.1-02
>
> Regards.
>
>> On 09-Dec-2014, at 1:41 am, John Kinsella  wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds
>>
>> CVSS:
>> 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
>>
>> Vendors:
>> The Apache Software Foundation
>> Citrix, Inc.
>>
>> Versions Afffected:
>> Apache CloudStack 4.3, 4.4
>>
>> Description:
>> Apache CloudStack may be configured to authenticate LDAP users.
>> When so configured, it performs a simple LDAP bind with the name
>> and password provided by a user.  Simple LDAP binds are defined
>> with three mechanisms (RFC 4513): 1) username and password; 2)
>> unauthenticated if only a username is specified; and 3) anonymous
>> if neither username or password is specified.  Currently, Apache
>> CloudStack does not check if the password was provided which could
>> allow an attacker to bind as an unauthenticated user.
>>
>> Mitigation:
>> Users of Apache CloudStack 4.4 and derivatives should update to the
>> latest version (4.4.2)
>>
>> An updated release for Apache CloudStack 4.3.2 is in testing. Until
>> that is released, we recommend following the mitigation below:
>>
>> By default, many LDAP servers are not configured to allow
> unauthenticated
>> binds.  If the LDAP server in use allow this behaviour, a potential
>> interim solution would be to consider disabling unauthenticated
>> binds.
>>
>> Credit:
>> This issue was identified by the Citrix Security Team.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT
>> 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF
>> Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2
>> vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m
>> 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2
>> fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ
>> Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+
>> AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6
>> tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0
>> LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT
>> RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml
>> 03DX+ot4Xan0P5HXPT+r
>> =QqOf
>> -----END PGP SIGNATURE-----
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
> Find out more about ShapeBlue and our range of CloudStack related
> services
>
> IaaS Cloud Design & Build
> CSForge – rapid IaaS deployment framework
> CloudStack Consulting
> CloudStack Software Engineering
> CloudStack Infrastructure Support
> CloudStack Bootcamp Training Courses
>
> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed.
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Shape Blue Ltd or related
> companies. If you are not the intended recipient of this email, you
> must neither take any action based upon its contents, nor copy or show
> it to anyone. Please contact the sender if you believe you have
> received this email in error. Shape Blue Ltd is a company incorporated
> in England & Wales. ShapeBlue Services India LLP is a company
> incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
> Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA
> Pty Ltd is a company registered by The Republic of South Africa and is
> traded under license from Shape Blue Ltd. ShapeBlue is a registered
> trademark.



-- 
Daan

Mime
View raw message