incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ahmad Emneina <Ahmad.Emne...@citrix.com>
Subject Re: API Key and Signature security flaw on CS4 - jenkins build non-oss 137
Date Mon, 22 Oct 2012 20:27:53 GMT
When you access cloudstack through the regular api endpoint
<host>:8080/client you will need to authenticate to execute commands. 8096
is the unauthenticated admin port, which should be locked down on
production installs.

On 10/22/12 1:25 PM, "Musayev, Ilya" <imusayev@webmd.net> wrote:

>I c. . so the API Key and Signature generation is obsolete as well?
>
>-----Original Message-----
>From: Edison Su [mailto:Edison.su@citrix.com]
>Sent: Monday, October 22, 2012 4:16 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: RE: API Key and Signature security flaw on CS4 - jenkins build
>non-oss 137
>
>By default, port 8096 is disabled, and is intended to be without API
>signature/key check.
>If the 8096 is turned on by yourself, then somehow, it's up to you how to
>secure it.
>
>> -----Original Message-----
>> From: Musayev, Ilya [mailto:imusayev@webmd.net]
>> Sent: Monday, October 22, 2012 1:04 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: API Key and Signature security flaw on CS4 - jenkins build
>> non-oss 137
>> 
>> I guess I found a not so cool feature/bug which is at this moment is a
>> major security flaw for locally authenticated ssh use or from another
>> host on the network .
>> 
>> The API signature and key are not checked at all - I'm able to run the
>> commands against API port with any key - and command is executed
>> without checking the validity of Key/Signature.
>> 
>> Is this a known bug that may have been addressed or do I need to file
>> one?
>> 
>> How do we restrict access to 8096 from another host? Is it done via
>> iptables or some access rule in tomcat?
>> 
>> If its iptables we need a deny rule for 8096 from external hosts by
>> default probably with setup script.
>> 
>> Thanks
>> ilya
>
>
>


-- 
Æ




Mime
View raw message