-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Product: Apache CloudStack Vendor: The Apache Software Foundation CVE References: CVE-2013-2756, CVE-2013-2758 Vulnerability Type(s): Authentication bypass (2756), cryptography (2758) Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and 4.0.1-incubating Risk Level: High, Medium CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3 (AV:A/AC:H/Au:N/CI:P/I:P/A:P) Description: The CloudStack PMC was notified of two issues found in Apache CloudStack: 1) An attacker with knowledge of CloudStack source code could gain unauthorized access to the console of another tenant's VM. 2) Insecure hash values may lead to information disclosure. URLs generated by Apache CloudStack to provide console access to virtual machines contained a hash of a predictable sequence, the hash of which was generated with a weak algorithm. While not easy to leverage, this may allow a malicious user to gain unauthorized console access. Mitigation: Updating to Apache CloudStack versions 4.0.2 or higher will mitigate these vulnerabilities. Credit: These issues were identified by Wolfram Schlich and Mathijs Schmittmann to the Citrix security team, who in turn notified the Apache CloudStack PMC. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJReHSvAAoJEI7yNrpBLHrS19UP/R+7RadV4QlnBxErhy53/FZf qeOKGKj3cLm5dhFsNjzODQRRcSZohrwq3CX5dM1GW83LdAVJjoKQYCTO4/Dm+WP4 EI2z8PAxrr+gOZKZt0ouufb3aJPMP5nQK+/UphSUCNS9BPu2gDQubAgRq3bTFqHI b54XVwd8SEZ/lb7ds8zXiKLCWtz18BK9JCa7/sWArpUlbJIqEYkC3NO4rvR/I/Uo ZS6tvX4i/Fh+KoJwnhoYm852xoSRAX2YCv00Ao/WLleltzH43wSV2DA/SpKsfUAp hvkkwMjYo0FFQZcvvFIFFXUAOMtjFVQ+Dh5CdXiozqQyeKpO61HtyNWoPGBsKaj7 RTlVSPu8vRxi1JiqVd850L1oa9wGgG3ywySY5NGs/TNdZ+6GtxO3jr2QMFDhI7G0 0uc2TPx63RZFdkODZ9FF6p29OfgRHy6Uq0UysHO8Yuadiys9xWOZjoHavDYPLrxC ZRyrG1Ny9RUh5vQsoFIKoEJIwBtoK0ljLvNROT9T4cpG80qnj/SRUnvNxhPI87gJ 4Fcvh/1R/ZdvPeeMRf+eOd8euw1KkC6tCRbabQwCKb2hAXYxKXG5f+a7XRk/2laf UNdjnvNEz9OqYKs0f3A4MLNv37PdtFBqLmfGDCPNx79VT+//exCxtTJXy6Ydwgmr Qy2m9i7qrd34G2Cp0g4V =7qL9 -----END PGP SIGNATURE-----