CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability CVSS v3: 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L) Vendors: The Apache Software Foundation Accelerite, Inc Versions affected: CloudStack versions 4.1 and newer are affec

CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability CVSS v2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vendors: The Apache Software Foundation Accelerite, Inc Versions affected: CloudStack versions 4.5.0 and newer Description: Apache Clou

Re: glibc vulnerable (CVE-2015-7547)

We (ACS security team) are aware of the glibc vulnerability, and yes a vulnerable version exists in the current supported version of the system VM image. The question though, which I’ve been trying to figure out is does the code running on the secondary storage VM, console proxy, or virtual rout

Re: HTTPS for console VM, without the wildcard DNS

You could probably hack this - if you only provided enough IPs for your System VMs so that it’s IP wouldn’t change, you could register the SSL cert for that specific FQDN. Seems like it should be possible to have the console proxy run in http-only, then put an TLS endpoint in front of it (hapro

Re: No Key

If you look at Shapeblue’s package page[1] they indeed do use GPG keys on their packages, and the page shows how to set that up. Look under section "Configuring Repository for RPM based platforms" John 1:http://www.shapeblue.com/packages/ > On Feb 4, 2016, at 2:00 AM, Mohd Zainal Abidin Rabani

Two late-announced security advisories

Folks - I just sent out 2 security advisories that should have been sent out several months ago - luckily the ASF security team was aware of them and prodded the ACS security team as to what was up. Earlier today I realized the announcements hadn’t gone out, so they were just sent. I just put u

CVE-2015-3252: Apache CloudStack VNC authentication issue

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2015-3252: Apache CloudStack VNC authentication issue CVSS v2: 4.3 (AV:N/AC:H/Au:M/C:P/I:P/A:P) Vendors: The Apache Software Foundation Citrix, Inc. Versions Afffected: Apache CloudStack 4.4.4, 4.5.1 Description: Apache CloudStack sets a VNC

CVE-2015-3251: Apache CloudStack VM Credential Exposure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2015-3251: Apache CloudStack VM Credential Exposure CVSS v2: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Vendors: The Apache Software Foundation Citrix, Inc. Versions Afffected: Apache CloudStack 4.4.4, 4.5.1 Description: Apache CloudStack provides an A

Re: gpg verification: missing key 0EE3D884

Rohit Yadav mailto:rohit.ya...@shapeblue.com>> wrote: Hi John and Udo, Thanks for bringing this to attention. I’m unsure how I missed this but updated the KEYS file now. Regards. On 17-Nov-2015, at 5:28 AM, John Kinsella mailto:j...@stratosec.co>> wrote: Rohit - looks like y

Re: gpg verification: missing key 0EE3D884

No apologies. :) > On Nov 17, 2015, at 11:33 AM, Udo Rader wrote: > > sorry for the noise & being probably paranoid here, but I've once had to > deal with compromized source code (proftpd) and I promised myself to > cross check as much as I can ... > > On 11/1

Re: gpg verification: missing key 0EE3D884

s > https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ... > > On 11/17/2015 12:58 AM, John Kinsella wrote: >> Rohit - looks like your key isn’t in >> https://dist.apache.org/repos/dist/release/cloudstack/KEYS ? >> >> On Nov 16, 2015, at 3:43 PM, Udo Rader >> m

Re: gpg verification: missing key 0EE3D884

Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ? On Nov 16, 2015, at 3:43 PM, Udo Rader mailto:list...@bestsolution.at>> wrote: Hi, I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the download using gpg, but gpg tells me that the us

Re: cloudstack vulnerable by COLLECTIONS-580?

Thanks for sending this, Rene. In the future, please send issues like this to secur...@cloudstack.apache.org. We’re looking things over, and will have further comments after review. John On Nov 10, 2015, at 6:07 AM, Rene Moser mailto:m...@renemoser.net>>

Xen security issue

Folks running paravirtualized VMs on Xen (3.4 and newer) hosts need to patch to protect against a new vulnerability that allows an admin in a VM to escape up to the host: http://xenbits.xen.org/xsa/advisory-148.html John Stratosec - Secure Finance and Heathcare Clouds http://stratosec.co o: 41

Re: openssl/cloudstack

Update - looks like there’s no exposure to the vulnerability for us. The Debian images we use do not use a vulnerable version of OpenSSL. Thanks for the patience! John On Jul 10, 2015, at 10:19 AM, John Kinsella mailto:j...@stratosec.co>> wrote: Folks - just put up a brief blog post

openssl/cloudstack

Folks - just put up a brief blog post about the latest OpenSSL issue and how that affects CloudStack. Long story short - we think it does, but are verifying that. Hopefully will have an update by the end of the day. https://blogs.apache.org/cloudstack/entry/cloudstack_and_openssl_cve_2015 Will

Re: New SSL vulnerability #FREAK

Thanks for confirmation, Eric Pardon any typos - sent from mobile device Stratosec o: 415.315.9385 @johnlkinsella On Mar 3, 2015, at 10:59 PM, Erik Weber mailto:terbol...@gmail.com>> wrote: On Wed, Mar 4, 2015 at 2:21 AM, Nux! mailto:n...@

Re: New SSL vulnerability #FREAK

I don't *think* ACS is vulnerable, but haven't gotten a chance to confirm that yet. Excuse any typos - sent from mobile device > On Mar 3, 2015, at 17:23, Nux! wrote: > > https://freakattack.com/ > > That time of the month again. Secure your stuff, folks. > > -- > Sent from the Delta quadra

Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sth

FYI the blog post mentioned below now has links to updated SSVM templates. > On Jan 28, 2015, at 11:49 AM, John Kinsella wrote: > > Folks - just posted mitigation details at [1]. An updated SSVM template is > being QAed, once released the post will be updated with links and we’l

Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sth

Folks - just posted mitigation details at [1]. An updated SSVM template is being QAed, once released the post will be updated with links and we’ll mention here as well. John 1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc On Jan 28, 2015, at 4:55 AM, Rohit Yadav mai

Re: How to remove VM entry from CloudStack database?

CloudStack doesn’t usually remove records from db tables. If you look t vm_instance (or many other tables in there) you’ll see three timestamp fields: created, update_time, and removed. So if you want to “remove” a vm/disk/nic/etc, you change the removed field from null to a timestamp, e.g. UPD

Re: Desktop as a service

cantivo (http://cantivo.org/) > I wished to know if any of these an be used with cloudstack? If yes then > can someone please guide me how to do that? > > Regards > > On Tue, Dec 9, 2014 at 5:43 AM, John Kinsella wrote: > >> >>> On Dec 5, 2014, at 11:08 PM, Tila

Re: Desktop as a service

> On Dec 5, 2014, at 11:08 PM, Tilak Raj Singh wrote: > > Hello Everybody, > > I am new to cloudstack so I dont know if I am going off the topic here. I > wished to know how to setup Virtual Desktop Interface (VDI) using > cloudstack. I browsed the net and found that openstack has the capabilit

[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P Vendors: The Apache Software Foundation Citrix, Inc. Versions Afffected: Apache CloudStack 4.3, 4.4 Description: Apache CloudStack may be configured

Re: [DISCUSS] CloudStack Future

Ah, from that POV. Gotchya. I think also making it easier to develop the UI would help. Feels like a big black box to me, and probably to others… On Sep 16, 2014, at 10:37 PM, Rohit Yadav mailto:rohit.ya...@shapeblue.com>> wrote: So, most of the developers of CloudStack don’t use it as a user.

Re: [DISCUSS] CloudStack Future

I love seeing thoughts/actions around organizing. but… (Rohit, you keep doing good stuff and I keep popping up to be negative, sorry :) ) Can we do this within the ASF infrastructure? Trello is cool (I’ve used it internally in the past) but can’t we do this on a Confluence page? This allows f

Re: assignVirtualMachine - Change domain (4.1.1)

Yeah - that doesn’t work 100% - you’ll have to delete and re-create the fw rules, at least for advanced networking. Needs a tiny bit more refinement. :) On Sep 9, 2014, at 3:42 PM, Nitin Mehta mailto:nitin.me...@citrix.com>> wrote: Though I am averse to mucking around the db I know tha

Re: Logging...

On agents or mgmt server, edit /etc/cloudstack/*/log4j-cloud.xml Look for lines that read similar to And change INFO to DEBUG On Aug 25, 2014, at 2:00 PM, Michael Phillips wrote: > Seems the logging level in 4.4 has been toned down, how do you crank it up to > verbose levels? >

Re: Windows - KVM - Virtio

Yes. Significant performance boost to run in PV with drivers Please excuse typos - sent from mobile device. - Reply message - From: "Jochim, Ingo" To: "'users@cloudstack.apache.org'" Subject: Windows - KVM - Virtio Date: Fri, May 16, 2014 4:28 PM Hi all, is there any need to install t

REMINDER realhostip going away

Reminder, folks - please migrate off realhostip.com or you’re going to get a nasty surprise this summer. More info at link below. https://blogs.apache.org/cloudstack/entry/realhostip_service_is_being_retired

Re: OpenSSL Flaw

Sorry folks that I didn’t send it to this list. To be accurate, it’s a blog post not a press release. We’ll have a formal solution in a few more days. https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed On Apr 9, 2014, at 5:19 AM, Antonio Packery mailto:antonio.pack...@

REMINDER please send security issues to security@

Folks - in the last week or three we’ve had 2 Jira issues created for security-related issues. In both cases, they seem to be false-positives, luckily. If you think you have found a security issue in ACS, please email secur...@cloudstack.apache.org. This gives us a chance to investigate and cr

[ANNOUNCE] Realhostip Service is Being Retired

Realhostip Service is Being Retired Recently the Apache CloudStack PMC was informed that the realhostip.com Dynamic DNS service that CloudStack currently uses as part of the console proxy will be disbanded this summer. The realhostip service will be shut down June 30th, 2014, meaning users hav

Re: [ANNOUNCE] Realhostip Service is Being Retired

(Sorry folks - resend, with links at bottom) Realhostip Service is Being Retired Recently the Apache CloudStack PMC was informed that the realhostip.com Dynamic DNS service that CloudStack currently uses as part of the console proxy will be disbanded this summer. The re

Re: [PROPOSAL] Support pure Xen as a hypervisor

+1 On Mar 18, 2014, at 8:40 AM, Tim Mackey mailto:tmac...@gmail.com>> wrote: Historically CloudStack has used Xen and XenServer interchangeably to refer to any XenAPI based implementation. With the recent release of Xen Project 4.4 (http://blog.xen.org/index.php/2014/03/10/xen-4-4-released/), a

Re: Custom billing Application using CloudStack API

I was avoiding the convo and looking forward to the Denver talk, but since HB was directly mentioned... We use Hostbill…opinions are mixed, mostly because they encrypt the php code so we can’t easily modify things. We are not yet using the metered billing functionality. Hostbill’s management a

Re: Adding a host with running VM's issu

This would be a super-cool feature to add to ACS. It’s sorta the cloud-orchestration equivalent of having to add 1000 nodes to nagios. Would be interesting to discuss with folks over a tasty beverage in Denver... On Mar 4, 2014, at 2:44 AM, Badi wrote: > hello cloudstack users, > > Can any o

Re: Why no use sync rather than async for NFS storage?

Just created CLOUDSTACK-6166 to change this, or at least get a good reason for why folks think it’s OK. On Feb 24, 2014, at 8:57 AM, John Kinsella wrote: > Interesting - hadn’t noticed that. > > Async is generally faster, at the risk of data loss as the client isn’t > guarantee

Re: Why no use sync rather than async for NFS storage?

Interesting - hadn’t noticed that. Async is generally faster, at the risk of data loss as the client isn’t guaranteed data write on the server. Not something I’d run in production. John On Feb 23, 2014, at 10:33 PM, Amin Samir wrote: > Hello, > > All cloudstack documentation prepares the NFS

Re: CoreOS and Cloudstack

I just imported their KVM image [1] and spun up a VM with it - that far, no problem. So, it runs. Next step - need to build a coreos image with support to get the ssh keys from CloudStack [2] John 1: http://storage.core-os.net/coreos/amd64-generic/dev-channel/coreos_production_qemu_image.img.

Re: CloudStack WebUI Loads Up Very Slow

Is the sluggishness during the initial (login) load, or on every page? Is this new sluggishness when you went to HA, or was it always there? The UI is designed to have a heavy initial load and then be mostly AJAX and more responsive after that. The initial UI load is fairly huge - tons of JS, C

Re: Unable to set permissions Cloudstack 4.3

I just created CLOUDSTACK-6128 after seeing this. a) We shouldn’t be setting filesystem permissions wide open b) If and when we do set permissions, we should care about the results c) We shouldn’t be displaying “errors" that users can ignore Will see if I can clean some of that up over the next f

Re: Software licensing in the cloud

I spent too much time researching this last year…I’d consider http://www.aidanfinn.com/?p=13090 to be the gold standard on explaining the topic in an understandable manner. On Feb 11, 2014, at 4:30 AM, Ricardo Makino mailto:ricardo.n...@gmail.com>> wrote: Hi Everyone, I have a doubt about wha

Re: Distributed Intrusion Detection System in Cloud Computing

Hey Robert! On Nov 16, 2013, at 11:53 AM, Robert Bruce wrote: > Hi, hope all of you will be fine and doing your best for the development of > open source community. > > I want your suggestions and help regarding my project. I am going to start > my master's thesis in the domain of Cloud Computi

Re: realhostip.com down?

I'm seeing similar in San Francisco, CA… On Nov 6, 2013, at 6:52 PM, Steve Searles wrote: > -bash-3.2$ dig @8.8.8.8 ns.realhostip.com +trace > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> @8.8.8.8 ns.realhostip.com > +trace > ; (1 server found) > ;; global options: printcmd > .

Re: [PROPOSAL] Service monitoring tool in virtual router

Thx for putting this together, Jayapal. A few comments: I'd really like to have a config flag to specify if things should be restarted automatically or not. Worst case, track the restarts - if a service is restarted more than X times in Y seconds, something's obviously wrong so stop tail-chasin

Re: change own password and personal info

ntuitive to new users. On Wed, Nov 6, 2013 at 9:57 AM, John Kinsella mailto:j...@stratosec.co>> wrote: Seems like the UI could benefit from a "my account" link near the top of the page…what do folks think? On Nov 6, 2013, at 5:31 AM, Geoff Higginbottom < geoff.higginbot

Re: change own password and personal info

Seems like the UI could benefit from a "my account" link near the top of the page…what do folks think? On Nov 6, 2013, at 5:31 AM, Geoff Higginbottom mailto:geoff.higginbot...@shapeblue.com>> wrote: You need to go to the Users Section as the passwords are mapped to users, not accounts Regard

Re: Console Proxy SSL Certificate

Self-signed is fine, just need to store it in the keystone as described on https://cwiki.apache.org/confluence/display/CLOUDSTACK/Enabling+SSL+in+the+CloudStack+UI On Nov 5, 2013, at 10:05 AM, Paulo Ricardo wrote: > Hello everybody, > > After I generate a new 2048-bit private key and generate

Re: Monitoring feature for CS

I've been thinking a lot about monitoring over the last 6 weeks or so. For over a decade I've been a huge fan of Opsview/nagios, but I started getting the nagging feeling that this wasn't necessarily the best way to go anymore, with this whole cloud thing. So I've been looking/playing with a bun

Re: VNC Security---Remote Authentication Vulnerability

Hi Aslan - are you referring to the CloudStack vulnerability announcement related to authentication bypass we announced in April? (CVE 2013-2756) If so, to fix the issue you need to upgrade to CloudStack 4.0.2. Do note there's issues with Ceph on ACS 4.0.2, so if you are using Ceph we'll have to

Re: Lock System VMs to specific IPs due to internal security

You can deploy a VM with a specific IP - if somebody else hasn't already used it…it's not really an ideal solution but works "most of the time." John On May 2, 2013, at 1:47 PM, "Musayev, Ilya" wrote: > Has any tried to achieve locking SSVM, CPVM and RVM to specific IPs due to > network secur

Apache CloudStack Security Advisory: Multiple vulnerabilities in Apache CloudStack

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Product: Apache CloudStack Vendor: The Apache Software Foundation CVE References: CVE-2013-2756, CVE-2013-2758 Vulnerability Type(s): Authentication bypass (2756), cryptography (2758) Vulnerable version(s): Apache CloudStack version 4.0.0-incubating