====================================================================

                           CERT-Renater

               Note d'Information No. 2016/VULN056
_____________________________________________________________________

DATE                : 12/02/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Apache CloudStack versions 4.4.4,
                                           4.5.1.

======================================================================
http://mail-archives.apache.org/mod_mbox/cloudstack-users/201602.mbox/%3C94DD4CB4-F718-4F79-A934-3D677E497114@gmail.com%3E
_____________________________________________________________________

CVE-2015-3251: Apache CloudStack VM Credential Exposure

CVSS v2:
6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.4.4, 4.5.1

Description:
Apache CloudStack provides an API for managing network, compute,
storage, and user aspects of a CloudStack cloud. Under certain
circumstances, the results of certain API calls may expose the root
password for a virtual machine related to an API call.

This exposure only happens when the API calls of concern are
authenticated with CloudStack's "root" or "domain administrator"
level users.

Mitigation:
Users of Apache CloudStack should update to at least 4.5.2 or 4.6.0.
Additionally ensure non-administrative users do not have root or
domain-administrator level accounts.


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================