ESA-14: Shell Injection Vulnerability on NC
0 views
Skip to first unread message
Eucalyptus Security Team
Oct 24, 2013, 12:52:19 PM10/24/13
to security...@eucalyptus.com
ESA-14: Shell Injection Vulnerability on NC
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-14
Issue Date: 2013-10-02
Last Updated: 2013-10-24
Severity Level: Critical
Affected Versions: Eucalyptus 3.0.0 to Eucalyptus 3.3.1
CVE Number: CVE-2013-4767
====================================================================
OVERVIEW
------------
A vulnerability has been identified in Eucalyptus 3.0.0 through 3.3.1. An authenticated Eucalyptus user can execute potentially arbitrary shell commands with root privileges on Node Controller (NC) components. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations.
DESCRIPTION
-------------
A flaw was identified in the implementation of the bundling instance functionality on NC hosts. A user with the permissions to bundle instances could manipulate input parameters when bundling an instance and execute potentially arbitrary shell commands on the NC with root privileges. This could lead to complete compromise of the NC and potentially allow access to data on EBS and Walrus.
WORKAROUND
-------------
If an immediate upgrade is not possible, existing installations can be protected from the vulnerability by disabling BundleInstance functionality (creation of EMIs from running Windows instances). To apply the workaround, perform the following on each of the CC hosts in your installation:
1) In /usr/lib64/axis2c/services/EucalyptusCC/services.xml remove the following consecutive three lines
<operation name="BundleInstance">
<parameter name="wsamapping">EucalyptusCC#BundleInstance</parameter>
</operation>
2) Restart the Cluster Controller service:
# service eucalyptus-cc restart
SOLUTION
-------------
Eucalyptus version 3.3.2 resolves this issue. Please see
http://www.eucalyptus.com/download/eucalyptus for instructions on
downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-14
Issue Date: 2013-10-02
Last Updated: 2013-10-24
Severity Level: Critical
Affected Versions: Eucalyptus 3.0.0 to Eucalyptus 3.3.1
CVE Number: CVE-2013-4767
====================================================================
OVERVIEW
------------
A vulnerability has been identified in Eucalyptus 3.0.0 through 3.3.1. An authenticated Eucalyptus user can execute potentially arbitrary shell commands with root privileges on Node Controller (NC) components. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations.
DESCRIPTION
-------------
A flaw was identified in the implementation of the bundling instance functionality on NC hosts. A user with the permissions to bundle instances could manipulate input parameters when bundling an instance and execute potentially arbitrary shell commands on the NC with root privileges. This could lead to complete compromise of the NC and potentially allow access to data on EBS and Walrus.
WORKAROUND
-------------
If an immediate upgrade is not possible, existing installations can be protected from the vulnerability by disabling BundleInstance functionality (creation of EMIs from running Windows instances). To apply the workaround, perform the following on each of the CC hosts in your installation:
1) In /usr/lib64/axis2c/services/EucalyptusCC/services.xml remove the following consecutive three lines
<operation name="BundleInstance">
<parameter name="wsamapping">EucalyptusCC#BundleInstance</parameter>
</operation>
2) Restart the Cluster Controller service:
# service eucalyptus-cc restart
SOLUTION
-------------
Eucalyptus version 3.3.2 resolves this issue. Please see
http://www.eucalyptus.com/download/eucalyptus for instructions on
downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Reply all
Reply to author
Forward
0 new messages