Entries by Rohit Yadav

,

ShapeBlue Security Advisory for CVE-2022-35741: XXE vulnerability in SAML 2.0 Service Provider Plugin for CloudStack

18 July 2022 13:30 UTC Versions Affected Any version of Apache CloudStack >= 4.5 (including currently supported versions: 4.16.0, 4.16.1, 4.17) Scope Any Apache CloudStack (affected versions) environments that have the SAML plugin enabled. Summary Apache CloudStack enables authentication through SAML 2.0 by providing a SAML 2.0 Service Provider Plugin. This plugin is disabled by default and is enabled by configuring the global setting saml2.enabled to true. Having this setting set to true in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack […]

Apache CloudStack on RaspberryPi4 with KVM

IoTs have gained interest over recent times. In this article, Rohit Yadav, Principal Engineer at ShapeBlue, explores and shares his personal experience of setting up an Apache CloudStack based IaaS cloud on Raspberry Pi4, a popular single-board ARM64 IoT computer that can run GNU/Linux kernel with KVM. The article presents the use case of Apache CloudStack on RaspberryPi4 with Ubuntu 20.04 and KVM. CloudStack support for ARM64/RaspberryPi4 is available from version 4.13.1.0+. This guide uses a custom CloudStack 4.16 repository that was created and tested specifically against the new RaspberryPi4 and Ubuntu 20.04 arm64 to set up an IaaS cloud […]

What’s coming in the new CloudMonkey 6.0? | CloudStack Feature Deep Dive

Background The original CloudMonkey was contributed to the Apache CloudStack project on 31 Oct 2012 under the Apache License 2.0. It is written in Python and shipped using the Python CheeseShop, and since its inception has gone through several refactors and rewrites. While this has worked well over the years, the installation and usage have been limited to just a few modern platforms due to the dependency on Python 2.7, meaning it is hard to install on older distributions such as CentOS6. Over the past two years, several attempts have been made to make the code compatible across Python 2.6, 2.7 and […]

,

Secure Live KVM VM Migration with CloudStack 4.11.1 | CloudStack Feature Deep Dive

Introduction CloudStack 4.11.1 introduces a new security enhancement on top of the new CA framework to secure live KVM VM migrations. This feature allows live migration of guest VMs across KVM hosts using secured TLS enabled libvirtd process. Without this feature, the live migration of guest VMs across KVM hosts would use an unsecured TCP connection, which is prone to man-in-the-middle attacks leading to leakage of critical VM data (the VM state and memory). This feature brings stability and security enhancements for CloudStack and KVM users. Overview The initial implementation of the CA framework was limited to the provisioning of X509 certificates to secure […]

What’s new in CloudStack 4.11? | CloudStack Feature Deep Dive

Version 4.11 of Apache CloudStack has been released with some exciting new features and a long list of improvements and fixes. It includes more than 400 commits, 220 pull requests, and fixes more than 250 issues.  This version has been worked on for 8 months and is the first release of the 4.11 LTS releases, which will be supported until  1 July 2019. We’ve been heavily involved in this release at ShapeBlue; our engineering team has contributed a number of the major new features and our own Rohit Yadav has been the 4.11 Release Manager. As well as some really […]

CloudStack CA Framework | CloudStack Feature Deep Dive

Introduction The CloudStack management server listens by default on port 8250 for agents, and this is secured by one-way SSL authentication using the management server’s self-generated server certificates. While this encrypts the connection, it does not authenticate and validate the connecting agent (client). Upcoming features such as support for container/application cluster services require certificate management, and the emerging common theme is that CloudStack needs an internal certificate authority (CA) that can provide and ensure security and authenticity of client-server connections, and issue, revoke and provision certificates. Solution To solve these problems, we designed and implemented a new pluggable CA framework with a default self-signed […]

Shapeblue Security Advisory For CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability

Overview Apache CloudStack provides a registerUserKeys API that allows a user to create or recreate a secret key and an API key to use for authentication when using the CloudStack API. A malicious user can request this API action in conjunction with the ID of another CloudStack user/account.  The newly created or re-generated API keys for this other user would then be returned to the malicious user, giving them access the other user’s account and resources. The issue affects all users of CloudStack 4.1 and above. NOTE: In order to exploit this vulnerability the malicious user must themselves have authenticated API […]

CloudStack Test Automation with Trillian and Jenkins

In the previous post, we introduced and described Trillian that can build various environments in which we could deploy a CloudStack zone and run Marvin based integration tests. In this post, we’ll describe how we are using Jenkins and Trillian to test CloudStack builds in various environments. Build Pipeline Our build pipeline can be seen in the attached flow-diagram on the right, it consists of the following: The Cloudstack git repository. A Jenkins job for building CloudStack deb/rpm packages for Ubuntu 14.04, CentOS6 and CentOS7. Another Jenkins job for building CloudStack systemvm templates. A staging packages repository server for hosting the deb/rpm packages […]

Shapeblue Security Advisory For CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

Overview Apache CloudStack contains an authentication module providing “single sign-on” functionality via the SAML data format. Under certain conditions, a user could manage to access the user interface without providing proper credentials. As the SAML plugin is disabled by default, this issue only affects installations that have enabled and use SAML-based authentication. Mitigation: Users of Apache CloudStack using the SAML plugin should upgrade to one of the following versions, based on which release they are currently using: 4.5.2.1, 4.6.2.1, 4.7.1.1, or 4.8.0.1. These versions contain only security updates, and no other functionality change. Versions affected: CloudStack versions 4.5.0 and newer […]

Shapeblue Security Advisory for CVE-2015-0235, aka the Ghost vulnerability

Overview A vulnerability has been recently disclosed by Qualys that could result in a remote attacker being able to execute malicious instructions on vulnerable systems. The vulnerability affects Linux based operating systems. This is better known as GHOST ‘glibc’ vulnerability (CVE-2015-0235): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 What is ShapeBlue Doing ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS).  The download template functionality provided by the SSVM to the end user puts it at risk. Since it is a linux issue all the Apache CloudStack versions are affected.  An immediate fix would be to login into each SSVM and upgrade the glib package to the one that […]