Return-Path: X-Original-To: apmail-cloudstack-users-archive@www.apache.org Delivered-To: apmail-cloudstack-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 043AF18687 for ; Fri, 5 Feb 2016 03:04:25 +0000 (UTC) Received: (qmail 5471 invoked by uid 500); 5 Feb 2016 03:04:24 -0000 Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org Received: (qmail 5425 invoked by uid 500); 5 Feb 2016 03:04:24 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 5403 invoked by uid 99); 5 Feb 2016 03:04:23 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Feb 2016 03:04:23 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 52F8AC23F0 for ; Fri, 5 Feb 2016 03:04:23 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.821 X-Spam-Level: X-Spam-Status: No, score=-0.821 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id amdQ0E7qwJnx for ; Fri, 5 Feb 2016 03:04:22 +0000 (UTC) Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 8725A20546 for ; Fri, 5 Feb 2016 03:04:22 +0000 (UTC) Received: by mail-pa0-f46.google.com with SMTP id cy9so26252370pac.0 for ; Thu, 04 Feb 2016 19:04:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=WLYCJwmE9a/T9apo/BGP+SKvRQ+jWoHq6YxMY5t9VjA=; b=Pvw4GYCAIwvDBicRPoCwJHKMhgUrU6T1TtSOAE+Xt7gCfO/WpubYZ7C37CXPgtD/XT 5Pg27UZ06FlDxbmCFabepDzhCWSfTxaUX9R+ajsSyaGYvsYJX4ZS6CD1EHPjH4g1BzX1 RiqSlg2vOLoyFPO5/T1g2jLvJwSGpIQsSDf74VkOci0Zl77RIw07wCESpzuT12jGUUN1 zEOzF4/d/tvojfBn+UIpKTjSRFY5/MVhwf64xpkd2WtzAKxlFbMIoy3DgivyvA+7LUtk EGiy7IEuwL5BvlJM5GjjarJIKtRedxxsedMuAEG4BMMZW1vO8R+nxodc7lKpiJBs+WTW l/gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:message-id:date:to:mime-version; bh=WLYCJwmE9a/T9apo/BGP+SKvRQ+jWoHq6YxMY5t9VjA=; b=gQP5O9a2KWeqlb+3h9YwsegWZe6IPD6iHCUbjoqFx9W2X/+bCZB7g4mJ+ETVy3pFwK Hx7yRfYGz8a2yvM8IJWTNr2LAu0LOuaAvCjwq/fKMrtnoK6bdZ55TD2W2U+TSaPkvRjN SOo9K6fAxfAD5UMYjLFrCYPPMrbqhVu4aqsv/Ds5ywtd4NvGCVQx+DM3lKmcKR92j8nf j3pGFkz2hPW5p+nt8vYUbHyZAru5tDFaqwMf0t++SXs6oK5w3sR4pRNrl92PEWkEBaWC FP4hCMmJjcE43njHI59NA+RwrHz5mXtA/9sGCd2vUEmB8dHGTIGCN20W6wbxtKzleGOb 7uEw== X-Gm-Message-State: AG10YOTICKtXxS5DFlIwp+tK18io8mhZft0/JRBsfMxGWCPqWqKC0RYfCl5ReQq8crxM0A== X-Received: by 10.66.100.228 with SMTP id fb4mr16263776pab.84.1454641462278; Thu, 04 Feb 2016 19:04:22 -0800 (PST) Received: from [192.168.1.6] ([24.32.29.10]) by smtp.gmail.com with ESMTPSA id uk10sm20213910pab.31.2016.02.04.19.04.21 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 04 Feb 2016 19:04:21 -0800 (PST) From: John Kinsella Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: CVE-2015-3252: Apache CloudStack VNC authentication issue Message-Id: <7508580E-3D83-49FD-BE6E-B329B0503130@gmail.com> Date: Thu, 4 Feb 2016 19:04:19 -0800 To: users@cloudstack.apache.org Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2015-3252: Apache CloudStack VNC authentication issue CVSS v2: 4.3 (AV:N/AC:H/Au:M/C:P/I:P/A:P) Vendors: The Apache Software Foundation Citrix, Inc. Versions Afffected: Apache CloudStack 4.4.4, 4.5.1 Description: Apache CloudStack sets a VNC password unique to each KVM virtual machine under management. Upon migrating a VM from one host to another, the VNC password is no longer set in KVM on the new host. To leverage this issue, an attacker would need to have network access to a CloudStack host to be able to connect via VNC directly. Mitigation: Users of Apache CloudStack and derivatives should ensure their hosts are behind network firewalls, and should update to least version 4.5.2 or 4.6.0, depending on which tree is being used. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJWs/dCAAoJELAo8zo1KBbtsX8QAMf2s9OIY3FTbMbTIo/LBmLa rOOE46SBcmypN1TCHKW0K9etymieI58CPX9LHNdtZcAMa1khl4uo/Euz0wGu0zZZ awXahXEKUkLSTQDDYJP+8TmKvnIan/mYXRvPEHi2bMCtQ+CjY5qvcge9wXpFDKty B3LP9n/zYDkQCvBLmjPuqIM+B4JXT9q/e3LsVQHrjhBxheY26CMrSRZ/aLxmzxbh SSNs4oMZhLEPHoSt/lWsHYd/HxJ/eEjyQunP0UpO5d5/RZypYllPHcbaFPqtC4uK 55VB3JGyPiSEpxbbWEAqrPlOwCU9yNhRXnjdf3gc360NtdjncY1R49+VvUc6C+6u FqPmy5LFja5uQ1w6/VDdwoT9GeBL9rooMFsLgRpv+FCKPYEtvvIbvot45xA5TCAi MoU7RjYZoWHTmXLYcQOSSzFnySjLVqdrIL6fgu4gpehB/Od+sV+dwaKM/l03Ml8S mTerjUNkG2e+pNuWk703aLv4YrKv63T2ga8Nli00BYSyzsxDupd+0XmBzvsLPCMY uEbxBVVFSpIJMtTacBNgRQGFEQVh+DxPgDaXoZ6RFU/QKVZuWAq85qVEcbDjf8bM 0C6D3f5uXaFaXm4ff1FZ/s/4YOj4rm5EyawrM+Me218+PKMJPHzvsL8y10GCj1T8 s1S77QqgKhqFc+98Z1m3 =OY+T -----END PGP SIGNATURE-----