ESA-23: Sensitive Information in Eucalyptus Log Files
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-23
Issue Date: 2014-08-13
Last Updated: 2014-08-27
Severity Level: Low
Affected Versions: Eucalyptus 3.4.2 to 4.0.0
CVE Number: CVE-2014-5036
====================================================================
OVERVIEW
------------
A security issue has been identified in Eucalyptus 3.4.2 to 4.0.0 where a security-sensitive data was written into a Eucalyptus log file. Eucalyptus clouds using Dell Equallogic SAN are affected. An update is now available in 4.0.1 that resolves this issue.
DESCRIPTION
-------------
On Eucalyptus installations using Dell Equallogic SAN, CHAP user credentials were written into the log files on the Storage Controller (SC) component. The SC logs are readable by any user who has access to the SC host. Knowledge of CHAP credentials could allow someone to gain limited access to a subset of Eucalyptus data on the SAN.
SOLUTION
-------------
Eucalyptus 4.0.1 resolves this issue. Please see
http://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at
secu...@eucalyptus.com.