monkey Shapeblue Security Advisory For CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability

Overview Apache CloudStack provides a registerUserKeys API that allows a user to create or recreate a secret key and an API key to use for authentication when using the CloudStack API. A malicious user can request this API action in conjunction with the ID of another CloudStack user/account.  The newly created or re-generated API keys for […]

READ MORE

monkey Shapeblue Security Advisory For CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

Overview Apache CloudStack contains an authentication module providing “single sign-on” functionality via the SAML data format. Under certain conditions, a user could manage to access the user interface without providing proper credentials. As the SAML plugin is disabled by default, this issue only affects installations that have enabled and use SAML-based authentication. Mitigation: Users of […]

READ MORE

exit sign Taxi for Citrix, now time for CloudStack to shine

Today, Citrix announced that it was selling off two product lines: Citrix CloudPlatform and Citrix CloudPortal. For once, many Cloud commentators are right: this absolutely IS Citrix picking up its ball and going home. They’ve thrown this business line over the fence to Accelerite from Persistent Systems. However the sale tells us more about Citrix […]

READ MORE

Cloud computing concept Recovery of VMs to new CloudStack instance

We recently came across a very unusual issue where a client had a major security breach on their network. As well as lots of other damage their CloudStack infrastructure was maliciously damaged beyond recovery. Luckily the hackers hadn’t manage to damage the backend XenServer hypervisors so they were quite happily still running user VMs and Virtual Routers, […]

READ MORE

Cloud computing concept CloudStack Primary Storage

Paul Angus, Cloud Architect at ShapeBlue takes an interesting look at how to separate Cloudstack’s management traffic from its primary storage traffic. I recently  looked at physical networking in a CloudStack environment and alluded to the fact that you cannot separate primary storage traffic from management traffic from CloudStack, but that it is still possible. […]

READ MORE

ghost Shapeblue Security Advisory for CVE-2015-0235, aka the Ghost vulnerability

Overview A vulnerability has been recently disclosed by Qualys that could result in a remote attacker being able to execute malicious instructions on vulnerable systems. The vulnerability affects Linux based operating systems. This is better known as GHOST ‘glibc’ vulnerability (CVE-2015-0235): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 What is ShapeBlue Doing ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS).  The […]

READ MORE