CVE-2015-3252: Apache CloudStack VNC authentication issue
CVSS v2:
4.3 (AV:N/AC:H/Au:M/C:P/I:P/A:P)
Vendors:
The Apache Software Foundation
Citrix, Inc.
Versions Afffected:
Apache CloudStack 4.4.4, 4.5.1
Description:
Apache CloudStack sets a VNC password unique to each KVM virtual
machine under management. Upon migrating a VM from one host to
another, the VNC password is no longer set in KVM on the new host.
To leverage this issue, an attacker would need to have network
access to a CloudStack host to be able to connect via VNC directly.
Mitigation:
Users of Apache CloudStack and derivatives should ensure their hosts
are behind network firewalls, and should update to least version
4.5.2 or 4.6.0, depending on which tree is being used.
Komentarų nėra:
Rašyti komentarą