All, On private@ and security@, we discussed and worked on a fix for robot TLS [1] attack and released CloudStack 4.9.3.1. The issue does not affect the latest 4.11.0.0 version and does not require any upgrades/fixes/changes in that regard.
The issue primarily affects installations that are using an older version of bouncycastle, the only change we did against the 4.9.3.0 release was to upgrade the bouncycastle dependency version [2] 1.59. Post upgrade to 4.9.3.1 from 4.9.3.0, users will be required to destroy old CPVMs and SSVMs (new ones will be patched by a newer systemvm.iso that will have the v1.59 bc dependency jar), and upgrade and restart KVM agent(s) and management server(s). Download page: http://cloudstack.apache.org/downloads.html Release notes for 4.9.3.1: http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.9.3.1/ [1] robotattack.org [2] https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c Regards, Rohit Yadav