ESA-07: SOAP Web Services Authorization Bypass Vulnerability
0 views
Skip to first unread message
secu...@eucalyptus.com
Sep 13, 2012, 2:21:35 PM9/13/12
to security...@eucalyptus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-07: SOAP Web Services Authorization Bypass Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-07
Date: 8-28-2012
Severity: Critical
Affected Versions: Eucalyptus 3.0.2, 3.1.0 and earlier
CVE Number: CVE-2012-4065
====================================================================
OVERVIEW
- ------------
A security vulnerability has been identified in the implementation of
the SOAP interface exposed by front-end components in Eucalyptus 3.1.0
and earlier. An update is now available that resolves this issue. We
advise immediately updating all affected Eucalyptus installations
following the instructions below.
DESCRIPTION
- -------------
Eucalyptus front-end components (Cloud Controler and Walrus) can be
accessed using a SOAP web services messaging protocol. A flaw was
found in the implementation that binds external SOAP messages to
internal services. This flaw allowed users with valid Eucalyptus
credentials to bypass existing authorization mechanisms for some
services that should not be directly accessible by external users. As
a result, a malicious user could perform privileged operations, such
as manipulating volumes and snapshots belonging to other users or
modifying the Eucalyptus cloud configuration.
SOLUTION
- -------------
This issue is resolved in Eucalyptus version 3.1.1.
Please see http://www.eucalyptus.com/download/eucalyptus
for instructions on downloading and upgrading to the latest
Eucalyptus software.
CONTACT and HELP
- -------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJQUhw8AAoJEAtWzWcVzgD86ZAIAKEjmZU5LN7EGyqSLjWWy379
Y+tb7xKLx9PCFxUj9UXCmuOA4CsR6b/BrTVX/Zn4pyxCVOzQ7zCq66u1NWG3eopJ
xePH+LX8HO4e7vLTIkIPDmCM43jQJzAcSAemp6TOhfYLANDtVOuKEt/CQD5PUWpd
hQHTSF6qJ9ck9his5sSsDmujq4x+6xolL/gD719XrxJ1FQQCT9/8w8MeJfOvX5Q9
gNnpqjeyd4xIe6s8ysJnCOCa1lUu3gi/vSP2qLk3jSXG7PBiiqKA8pS5oWt1nw10
wuzJHSNYstNIEoJDh0cVq6CT9tIIFr/ASEI0cMIl0AOH5QdcP4SifrY49rv+9Fo=
=k7Ro
-----END PGP SIGNATURE-----
Hash: SHA1
ESA-07: SOAP Web Services Authorization Bypass Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-07
Date: 8-28-2012
Severity: Critical
Affected Versions: Eucalyptus 3.0.2, 3.1.0 and earlier
CVE Number: CVE-2012-4065
====================================================================
OVERVIEW
- ------------
A security vulnerability has been identified in the implementation of
the SOAP interface exposed by front-end components in Eucalyptus 3.1.0
and earlier. An update is now available that resolves this issue. We
advise immediately updating all affected Eucalyptus installations
following the instructions below.
DESCRIPTION
- -------------
Eucalyptus front-end components (Cloud Controler and Walrus) can be
accessed using a SOAP web services messaging protocol. A flaw was
found in the implementation that binds external SOAP messages to
internal services. This flaw allowed users with valid Eucalyptus
credentials to bypass existing authorization mechanisms for some
services that should not be directly accessible by external users. As
a result, a malicious user could perform privileged operations, such
as manipulating volumes and snapshots belonging to other users or
modifying the Eucalyptus cloud configuration.
SOLUTION
- -------------
This issue is resolved in Eucalyptus version 3.1.1.
Please see http://www.eucalyptus.com/download/eucalyptus
for instructions on downloading and upgrading to the latest
Eucalyptus software.
CONTACT and HELP
- -------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJQUhw8AAoJEAtWzWcVzgD86ZAIAKEjmZU5LN7EGyqSLjWWy379
Y+tb7xKLx9PCFxUj9UXCmuOA4CsR6b/BrTVX/Zn4pyxCVOzQ7zCq66u1NWG3eopJ
xePH+LX8HO4e7vLTIkIPDmCM43jQJzAcSAemp6TOhfYLANDtVOuKEt/CQD5PUWpd
hQHTSF6qJ9ck9his5sSsDmujq4x+6xolL/gD719XrxJ1FQQCT9/8w8MeJfOvX5Q9
gNnpqjeyd4xIe6s8ysJnCOCa1lUu3gi/vSP2qLk3jSXG7PBiiqKA8pS5oWt1nw10
wuzJHSNYstNIEoJDh0cVq6CT9tIIFr/ASEI0cMIl0AOH5QdcP4SifrY49rv+9Fo=
=k7Ro
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages