incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Musayev, Ilya" <imusa...@webmd.net>
Subject RE: API Key and Signature security flaw on CS4 - jenkins build non-oss 137
Date Mon, 22 Oct 2012 20:25:03 GMT
I c. . so the API Key and Signature generation is obsolete as well?

-----Original Message-----
From: Edison Su [mailto:Edison.su@citrix.com] 
Sent: Monday, October 22, 2012 4:16 PM
To: cloudstack-dev@incubator.apache.org
Subject: RE: API Key and Signature security flaw on CS4 - jenkins build non-oss 137

By default, port 8096 is disabled, and is intended to be without API signature/key check.
If the 8096 is turned on by yourself, then somehow, it's up to you how to secure it.

> -----Original Message-----
> From: Musayev, Ilya [mailto:imusayev@webmd.net]
> Sent: Monday, October 22, 2012 1:04 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: API Key and Signature security flaw on CS4 - jenkins build 
> non-oss 137
> 
> I guess I found a not so cool feature/bug which is at this moment is a 
> major security flaw for locally authenticated ssh use or from another 
> host on the network .
> 
> The API signature and key are not checked at all - I'm able to run the 
> commands against API port with any key - and command is executed 
> without checking the validity of Key/Signature.
> 
> Is this a known bug that may have been addressed or do I need to file 
> one?
> 
> How do we restrict access to 8096 from another host? Is it done via 
> iptables or some access rule in tomcat?
> 
> If its iptables we need a deny rule for 8096 from external hosts by 
> default probably with setup script.
> 
> Thanks
> ilya



Mime
View raw message