ShapeBlue Security Advisory – Spectre and Meltdown patches in CloudStack 4.9 and 4.11
Overview At the beginning of 2018 a number of vulnerabilities were discovered which allow malicious user space processes to read kernel memory and malicious code in VM guests to read hypervisor memory. These vulnerabilities affect most CPU manufacturers – Intel, AMD, ARM, MIPS, etc. The vulnerabilities were nicknamed “Spectre” and “Meltdown” and are outlined in […]
ShapeBlue Security Advisory – DNSMasq Vulnerabilities
A number of security flaws were recently found in the DNSMasq tool. This tool is used by many systems to provide DNS and DHCP services, including by the CloudStack System VMs.
This advisory explains their affect on CloudStack and how to patch CloudStack against these flaws.
Migration away from download.cloud.com to download.cloudstack.org may cause problems in exisiting cloudstack installations and versions
Background Cloudstack relies on a fixed download site when it fetches the built-in guest VM templates. That download site has historically been download.cloud.com and is being replaced by download.cloudstack.org. Download.cloudstack.org is now fully functional. The retirement date of download.cloud.com is unknown but expected to be imminent The issue & behaviour After the retirement of download.cloud.com, […]
Shapeblue Security Advisory For CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability
Overview Apache CloudStack provides a registerUserKeys API that allows a user to create or recreate a secret key and an API key to use for authentication when using the CloudStack API. A malicious user can request this API action in conjunction with the ID of another CloudStack user/account. The newly Overview Apache CloudStack provides a registerUserKeys API […]
Shapeblue Security Advisory For CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability
Overview Apache CloudStack contains an authentication module providing “single sign-on” functionality via the SAML data format. Under certain conditions, a user could manage to access the user interface without providing proper credentials. As the SAML plugin is disabled by default, this issue only affects installations that have enabled and use SAML-based authentication. Mitigation: Users of […]
Shapeblue Security Advisory for CVE-2015-0235, aka the Ghost vulnerability
Overview A vulnerability has been recently disclosed by Qualys that could result in a remote attacker being able to execute malicious instructions on vulnerable systems. The vulnerability affects Linux based operating systems. This is better known as GHOST ‘glibc’ vulnerability (CVE-2015-0235): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 What is ShapeBlue Doing ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS). The […]
Retirement of the realhostip.com Service
The realhostip.com service will be switched off on the 1st October 2014. Paul Angus looks at what it did, what effect the retirement will have and what you need to do to carry on working if you’re affected. What is realhostip.com? When you connect to the Console Proxy system VM or download a disk or […]
Cloudstack, Cloud.Com and Citrix. Who’s who?
Many people ask me what is the realtionship between cloudstack, Citrix and Cloud.com. This is how Citrix explain it themselves: Citrix Systems today announced a new edition of CloudStack™, which will feature enhanced support for both the VMware vSphere and Oracle VM hypervisors, enabling VMware and Oracle customers to manage their virtualized servers as […]
