ESA-15: Web Services Denial of Service Vulnerability
0 views
Skip to first unread message
Eucalyptus Security Team
Mar 11, 2014, 3:12:16 PM3/11/14
to security...@eucalyptus.com
ESA-15: Web Services Denial of Service Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-15
Issue Date: 2014-02-24
Last Updated: 2014-03-11
Severity Level: Important
Affected Versions: Eucalyptus 2.0 to Eucalyptus 3.4.1
CVE Number: CVE-2013-4768
====================================================================
OVERVIEW
------------
A security issue has been identified in the way Eucalyptus Java-based components handle network connections to web services APIs. All versions of Eucalyptus starting from 2.0 are affected. An update is now available in 3.4.2 that resolves this issue. We advise immediately updating all affected Eucalyptus installations.
DESCRIPTION
-------------
A flaw was identified in the network connection clean up code that allows for Denial of Service attacks against Eucalyptus web services APIs by remote, unauthenticated attackers. All Java-based components are affected, including Cloud Controller (CLC), Walrus, Storage Controller (SC), and VMware Broker (VB).
WORKAROUND
-------------
Restricting network access to Eucalyptus web services APIs to trusted clients only (if possible) can help preventing intentional DoS
attacks. Please refer the Administration Guide at https://www.eucalyptus.com/docs for Eucalyptus open ports and connectivity rules.
SOLUTION
-------------
Eucalyptus 3.4.2 resolves this issue. Please see http://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-15
Issue Date: 2014-02-24
Last Updated: 2014-03-11
Severity Level: Important
Affected Versions: Eucalyptus 2.0 to Eucalyptus 3.4.1
CVE Number: CVE-2013-4768
====================================================================
OVERVIEW
------------
A security issue has been identified in the way Eucalyptus Java-based components handle network connections to web services APIs. All versions of Eucalyptus starting from 2.0 are affected. An update is now available in 3.4.2 that resolves this issue. We advise immediately updating all affected Eucalyptus installations.
DESCRIPTION
-------------
A flaw was identified in the network connection clean up code that allows for Denial of Service attacks against Eucalyptus web services APIs by remote, unauthenticated attackers. All Java-based components are affected, including Cloud Controller (CLC), Walrus, Storage Controller (SC), and VMware Broker (VB).
WORKAROUND
-------------
Restricting network access to Eucalyptus web services APIs to trusted clients only (if possible) can help preventing intentional DoS
attacks. Please refer the Administration Guide at https://www.eucalyptus.com/docs for Eucalyptus open ports and connectivity rules.
SOLUTION
-------------
Eucalyptus 3.4.2 resolves this issue. Please see http://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Reply all
Reply to author
Forward
0 new messages