CVE-2015-3251: Apache CloudStack VM Credential Exposure
CVSS v2:
6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Vendors:
The Apache Software Foundation
Citrix, Inc.
Versions Afffected:
Apache CloudStack 4.4.4, 4.5.1
Description:
Apache CloudStack provides an API for managing network, compute,
storage, and user aspects of a CloudStack cloud. Under certain
circumstances, the results of certain API calls may expose the root
password for a virtual machine related to an API call.
This exposure only happens when the API calls of concern are
authenticated with CloudStack's "root" or "domain administrator"
level users.
Mitigation:
Users of Apache CloudStack should update to at least 4.5.2 or 4.6.0.
Additionally ensure non-administrative users do not have root or
domain-administrator level accounts.
Komentarų nėra:
Rašyti komentarą