ESA-11: Denial of Service Vulnerability in Postgres

[Eucalyptus Security Team]

ESA-11: Denial of Service Vulnerability in Postgres

====================================================================

Eucalyptus Security Advisory

Advisory ID:                  ESA-11

Date:                              <CHANGEME>

Severity Level:               Important

Affected Versions:          Eucalyptus 3.2.x, 3.1.x

CVE Number:                  CVE-2013-1899

====================================================================

OVERVIEW

------------

The PostgreSQL security team has released a security advisory identifying an argument injection vulnerability in PostgreSQL 9.1. Although the primary privilege escalation vulnerability does not affect Eucalyptus, this vulnerability does make Eucalyptus 3.1 and greater potentially vulnerable to remote Denial of Service attacks. Currently a workaround is available that protects the Eucalyptus database from unauthorized remote access. We advise immediately implementing the workaround to all affected Eucalyptus installations following the instructions below.

DESCRIPTION

-------------

PostgreSQL is used as a primary database by a number of Eucalyptus components to store their metadata and user information. The database is co-located with the Cloud Controller component (CLC) and accepts remote connections. The argument injection vulnerability identified in PostreSQL 9.1 allows remote unauthenticated attackers to corrupt database files and cause the database server to crash and allows remote authenticated users to modify configuration settings and execute arbitrary code. Eucalyptus is not affected by the vulnerability that allows attacks from remote authenticated users because the Postgres database is exclusively used by Eucalyptus components and no other users exists in the database. However, because of this vulnerability, Eucalyptus 3.1.0 and greater is vulnerable to DoS attacks.  Eucalyptus deployments that restrict network access to CLC are potentially less vulnerable than deployments where public access is allowed.

WORKAROUND

-------------

Network access to the TCP port 8777 on CLC should be restricted to connections from the CLC, Walrus, Storage Controller (SC), and VMWareBroker (VB) Eucalyptus components only. In High Availability ( HA) mode, access to port 8777 should be allowed from both primary and secondary components (CLC, Walrus, SC, and VB).  If iptables is used to restrict access to the database on the deployments where the CLC is co-located with a Cluster Controller (CC),  starting with Eucalyptus 3.2.1, the firewall rules must be stored in ${EUCALYPTUS}/etc/eucalyptus/iptables-preload to be preserved across CC reboots. You must do a clean restart of the CC after adding firewall rules to that file (in HA mode, a clean stop/start is needed for primary and secondary CCs).

SOLUTION

-------------

Eucalyptus 3.3 will resolve this issue by upgrading to PostgreSQL 9.1.9 or later.

CONTACT and HELP

-------------

Contact the Eucalyptus Security Team at secu...@eucalyptus.com.